Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data on, but they are quite different from each other.
According to a joint report published by RiskIQ and FlashPoint, s
The group uses about one hundred domains registered and a pool of servers to route traffic and deliver the skimming code to victims.
“Group 4 is advanced. Once the group has access, it is extremely careful about how it places the skimmer. This group focuses on high volumes of compromises with the goal of getting as many cards as possible without specific targeting. However, it doesn’t shy away from targeting altogether.” states the report.
“The way Group 4 uses its skimmer is different from other Magecart groups. The skimmer isn’t shown to just anyone—you can’t request it without knowing a victim and having a valid user-agent at the bare minimum. However, there’s more to it.”
The researchers consider this gang as one of the most advanced Magecart groups, they argue it originates from another crime business involved in malware distribution and hijacking of banking sessions using web injects.
As said the Group 4 evolved tactics, it uses only up to five domains associated with a single IP address.
“The domains associated with Group 4’s skimming operation are simply proxies pointing towards a large internal network. After applying some initial filtering, these proxies upstream skimmer requests towards a backend that provides the skimmer script (or benign script when a visitor isn’t performing a payment),” reads a blog post published by RiskIQ.
multiple benign libraries, experts observed a continuous update for the skimmer, vxers constantly implements new features.
The latest version of the skimmer is only 150 lines of code, which is ten times less than the first release, anyway, it implements more event listeners to hook into the payment process and steal payment card data.
“The previous version of Group 4’s skimmer wasn’t actually a skimmer—it was an overlay payment phishing system.” wrote the experts.
“Group 4’s new skimmer also adds one more event listener to hook into the process of the payment-completion process. Usually, this involves a ‘submit button’ of some kind, but In this case, they hook the keyboard key-events and search for usage of the return/enter key. This is just one more option they added to the skimmer with a feature flag which, until now, we have only seen turned off, which likely indicates Group 4 is still experimenting with it.”
The experts also observed that coders deactivated some feature, a circumstance that suggests that are making some tests with their skimmer.
The option comes deactivated, which supports the theory that it starts as an experiment.
Experts observed an improvement in the way the exfiltration URL is created, it uses a pre-configured domain and passes the exfiltrated payment data as arguments. The URL is included as an image element and removed after it’s loaded.
Initially the data was encoded using the base64 scheme, currently, Magecart hackers use RSA public-private key cryptography before the base64 encoding process.
Further information, including IoCs associated with different groups, are reported in the analysis published by the experts.