A hacker group has broken into at least 570 e-commerce stores in 55 countries, including in India, in the last three years, leaking information on more than 184,000 stolen credit cards and generated over $7 million (over Rs 52 crore) from selling compromised payment cards.
Known as “Keeper, the group has been stealing information from these online stores which include Mumbai-based online jewellery store ejohri.com that was allegedly compromised in February this year, according to the threat intelligence firm Gemini Advisory.
“Over 85 percent of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide,” said the Gemini report.
The country hosting the largest selection of these victim e-commerce sites was the US, followed by the United Kingdom and the Netherlands.
The websites hacked include online bicycle merchant milkywayshop.it, Pakistan-based clothing store alkaramstudio.com, Indonesia-based Apple product reseller ibox.co.id and US-based premier wine and spirits seller cwspirits.com, among others.
The Keeper eMagecart’ group has verifiably compromised hundreds of domains and likely extracted payment card information from many more that have yet to be uncovered.
“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP (Card Not Present) data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” said the report.
“Keeper” is likely to continue launching increasingly sophisticated attacks against online merchants across the world.
Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019.
“Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards,” the report informed.
In mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses.
Operating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves e-commerce merchants vulnerable to a variety of different attack vectors.
Over the past six months, the Gemini team has uncovered thousands of Magecart attacks ranging from a simple dynamic injection of malicious code using a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images.
“The criminals behind this threat constantly evolve and improve their techniques to prey on unsuspecting victims who do not emphasize domain security,” the security researchers noted.