Magecart Attacks: The Dark Art Fraudsters Use to Steal Payment Data

Many of us have withstood credit or debit card fraud. According to Security.org:

• 127 million Americans have been victims of a fraudulent charge
• More than one in three cardholders have experienced card fraud more than once

But how do our cards become compromised without us knowing? In this blog, we dive into several research reports from Recorded Future's Insikt Group® to reveal the methods criminals are using and the targets they're going after.

The Beginning of the Compromised Payment Card Lifecycle

Fraudsters take many stealthy approaches to capture card-present (CP) and card-not-present (CNP) data. For example, card-present data can be collected via infected point-of-sale (POS) devices or skimmed during in-person transactions. However, capturing card-not-present data is the crown jewel for today's criminals.

While CNP card data can be compromised using social engineering techniques, it's now more likely to be captured with digital skimming techniques, such as Magecart e-skimmer infections. Once installed on an e-commerce site, the malicious e-skimmer script allows criminals to steal the card and billing data shoppers submit on checkout pages.

The rise of online shopping during the COVID-19 pandemic drove Magecart attacks to become a popular technique for dark web cybercriminals. Even though e-commerce sales have begun leveling off from their pandemic-fueled surge, the desire to capture CNP data remains.

In 2020, Recorded Future discovered over 1,132 unique attacker domains responsible for hosting malicious payloads or receiving stolen payment cards, nearly doubling the amount from the previous year. In addition, analysts found thousands of unique attacker scripts, a 20-fold increase over 2019, and an indication that fraudsters are producing numerous variations of these attacks.

As Magecart attacks become more lucrative, cybercriminal infrastructure has grown in sophistication.

To further compound the danger of Magecart attacks, the Skimming-as-a-Service model has become more common among dark web communities. Similar to Ransomware-as-a-Service (RaaS), this allows less technical cybercriminals to hire expert hackers who then write malicious scripts, embed card skimmers on their compromised sites, or even launch attacks on their behalf. It's likely the Skimming-as-a-Service model, similar to the Ransomware-as-a-Service model, will become more widespread.

In this increasing specialization and commercialization of cybercrime, cybercriminals focus their specific focus on individual tasks and work for one another to launch more effective attacks.

Hiding in Plain Sight

Unsuspecting shoppers are unaware that their payment data is siphoned off from what looks and feels like a legitimate checkout page to a malicious domain under the threat actors' control. Meanwhile, merchant and financial institution defenders searching for Magecart infections can feel like they're chasing after ghosts. Over the past two years, Recorded Future has discovered three significant variants of malicious scripts hidden inside a legitimate web service: Google Tag Manager.

The abuse and incorporation of legitimate web services like Google Tag Manager (GTM) into e-skimmer attack chains offer threat actors several advantages.

First, it enables threat actors to modify the contents of the GTM containers to update scripts or swap out malicious domains – without accessing the victimized e-commerce website's system – allowing cybercriminals to avoid detection as they're not creating suspicious log activity.

The second advantage is that e-commerce website administrators may allowlist 'trusted' source domains, such as legitimate Google services, to save resources. As a result, security software may be configured to not scan the contents of GTM containers, thereby inhibiting detection and remediation of infected containers.

Fraudsters Prefer Delivery

Criminals have been honing in on high-value targets, such as online ordering platforms, that provide the highest payout for the least amount of work. While there are a few major companies in the space, many smaller services lack the same security infrastructure as Uber Eats and DoorDash, but still have hundreds of restaurants as clients. One Magecart attack on an online ordering platform can expose online transactions performed by many other restaurants that use the same platform. In July 2022, Recorded Future identified two different Magecart campaigns that injected e-skimmer scripts into the online ordering portals of three separate online ordering platforms, infecting at least 311 restaurants, which compromised over 50,000 payment card records.

Author's Note: Within the Recorded Future Payment Fraud Intelligence module, I discovered my credit card was compromised during a transaction on one of these online ordering platforms in early 2020.

Economic Sanctions Lead to an Increase in Fraud?

Another avenue to watch out for is that western sanctions imposed on Russia may motivate Russian-based threat actors to compromise, sell, and monetize payment cards. Indeed, Russia's economic crisis during its confrontation with the West creates the socioeconomic conditions to drive more individuals from Russia's significant Information Technology (IT) sector to engage in financially-motivated cybercrime, such as carding. The Russian government is unlikely to stand in the way.

In an interview with The Record, Natalia Tkachuk, Head of the Information Security and Cybersecurity Service – part of the National Security and Defense Council of Ukraine, explains "among those IT specialists that remain [in Russia], there will be those who switch to… cybercrime", citing "Moscow's blatant disregard for the norms of international law in all spheres – including the fight against cybercrime… will certainly create favorable conditions for the domestic growth of cybercrime". Stealing payment data is considered one of the 'lower rungs' of the cybercrime ladder. It is noteworthy that Russian-language actors dominate the majority of fraud-focused dark web forums and top-tier carding marketplaces. Recorded Future analysts expect that an increase in Russian cybercrime would correspond to an expansion of Russian carding.

Financial institutions, merchants, and consumers face increased attacks from financially-motivated Russian-based criminals who can hide their attacks in plain sight on targets that offer treasure troves of card data.

It's a challenge. However, Recorded Future is able to help with proactive domain scanning, detailed technical and card data analysis, Payment Fraud Intelligence, and specifically, our Magecart Overwatch solution – which provides near real-time visibility into newly breached e-commerce domains globally – enabling financial institutions and merchants to take immediate action for fraud mitigation, by exposing Magecart skimmers and identifying skimmer domains.

Learn the devious strategies criminals use to infiltrate e-commerce sites and steal payment card data without getting caught. Check out our on-demand webinar: "The Dark Arts Fraudsters Use to Steal Payment Data."

Interested in learning more about how Recorded Future disrupts the entire payment fraud lifecycle? Book a demo to talk with one of our experts.