Magecart – a cybercriminal group that used digital skimmer to steal data of millions of users
At the end of last month, Ticketmaster UK, an online ticket company, published a report about a serious data breach that affected the external third-party payment supplier Inbenta Technologies. According to the company, less than 5% of firm's global customers were affected and had their credit card and other personal information stolen.
However, security researchers at RiskIQ discovered that is not a one-off attack and was performed by a hacker group called Magecart, which is also responsible for breaches of more than 800 e-commerce sites around the globe.
Initially, card skimmers are devices used in ATMs and other machines to steal credit card information from. Although this method can be very useful, it might not be as effective as operating the digital skimmers, which are capable of stealing information of more than 10,000 victims instantly. And that is precisely what Magecart hacker group started doing from 2016.
Magecart is affecting a variety of companies while harvesting credit card details
According to RiskIQ, it was not only the UK's Ticketmaster site that was affected by the breach but also Ireland's, Turkey's and New Zealand's websites. Research also showed that Ticketmaster's branches in Germany, Australia, and International were also jeopardized via a different third-party company called SociaPlus.
Additionally, researchers discovered that other suppliers were compromised by Magecart as well, including CMS Clarity Connect, Annex Cloud, PushAssist, and others, making this hacker-group prominent in the credit card information stealing business.
A threat researcher at RiskIQ said the following:
The Ticketmaster incident received quite a lot of publicity and attention, but the Magecart problem extends to e-commerce sites well beyond Ticketmaster, and we believe it’s cause for far greater concern. Magecart is bigger than any other credit card breach to date and isn’t stopping any day soon
It was also determined that the Command & Control server all the credentials are sent to has been operating since December 2016. It is unclear how much data hackers managed to steal in the meantime, but it is evident that many victims got their private data compromised while expecting it the least. Users who only enter their credentials into reputable sites should not suffer any data loss, although hacking attacks like these prove that nobody is safe.
The hacker group is expanding their operation and are not likely to stop
Is it possible to stop Magecard? Maybe, but at the moment seems highly unlikely. Bad actors are continuing their malicious activities and get better at hacking techniques, as well as manage to select their targets carefully so it would bring them the most profit.
At first, the hacker group targeted individual websites and soon realized that they could abuse the data readers much more efficiently by modifying script of third-party suppliers that handle payment information of millions of users.
Researchers reported that the breaches that are publicly announced nowadays as separate occurrences are actually connected and are a part of much bigger operation created by Magecard.