Keeper Magecart group targeted 570 e-commerce domains across 55 countries

The Keeper Magecart group targeted as many as 570 e-commerce domains across 55 countries since April with card-skimming malware. 85% of the targeted domains operated on the Magento CMS.

These findings were published recently by security firm Gemini Advisory which noted that the Keeper Magecart group has been active for three years and is likely to continue launching increasingly sophisticated attacks against online merchants across the world.

Since April 2017, the hacker group used its interconnected network of 64 attacker domains and 73 exfiltration domains to target over 570 victim e-commerce domains in 55 different countries, with the largest number of targeted domains registered in the United States and in the UK.

The Keeper Magecart group is highly proficient in using data skimming malware to steal payment card details from e-commerce sites and then selling compromised payment card details on the Dark Web for profit. Gemini estimates that since 2017, Keeper likely generated upwards of $7 million USD from selling compromised payment cards.

Magecart hackers exploiting poorly-secured e-commerce domains to steal data

"Operating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves e-commerce merchants vulnerable to a variety of different attack vectors.

"Over the past six months, the Gemini team has uncovered thousands of Magecart attacks ranging from simple dynamic injection of malicious code using a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images.

"The criminals behind this threat constantly evolve and improve their techniques to prey on unsuspecting victims who do not emphasize domain security," Gemini said.

The firm found that many of the targeted 570 e-commerce domains are used by retailers to sell electronics, clothing, jewelry, custom promotional products, and liquor and some of them with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month.

While analysing one such targeted domain named fiushafashion.com, researchers at Gemini found that a malicious code hidden in the domain's payment page successfully exfiltrated payment card data, billing information, additional PII, and source URL to the Keeper exfiltration domain assetstorage[.]net.

The security firm chose to name the hacker group "Keeper" based on its repeated usage of a single domain called fileskeeper[.]org to inject malicious payment card-stealing JavaScript (JS) into the website’s HTML code. Data captured by malicious JS payloads are then exfiltrated using a network of 73 exfiltration domains. Compromised payment card details are then sold on the Dark Web for $10 per compromised Card Not Present (CNP) card.

"With revenue likely exceeding $7 million and increased cybercriminal interest in CNP data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable.

"Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world," the firm added.

How can you prevent Magecart from affecting your business?

According to Tarik Saleh, senior security engineer and malware researcher at DomainTools, Magecart continues to be a successful Javascript-based malware that steals customer payment information. Magecart is uploaded to your website only after it has been compromised via some other means, like an XSS (Cross-Site Scripting) vulnerability or an RCE (Remote Code Execution) exploit.

Saleh says that if you own a business that handles customers' credit cards or payment information there are several things you can do to detect and prevent Magecart from affecting you.

"The clearest and obvious thing to do is ensuring that the operating system and web frameworks used by your public-facing website are fully patched. This will help prevent common exploits that may be affecting versions used by your website. Secondly, it’s important to adjust your web applications' Content Security Policy (CSP) to only allow running scripts from your specific whitelisted domains.

"Thirdly, I recommend deploying a File Integrity Monitoring (FIM) solution to your website’s directory containing the scripts used for the checkout or payment handling process. FIM solutions are great for monitoring when files have been tampered with or added to your website, and while it won’t prevent you from being compromised, it will let you know if Magecart has been installed," he adds.

ALSO READ: Smith & Wesson data breach: Magecart hackers struck gold on Black Friday

MORE ABOUT: