A security researcher collected in a span of a few weeks over 1,000 domains infected with payment card skimmers, showing that the MageCart continues to be a prevalent threat that preys on insecure webshops.

MageCart was first spotted over a decade ago by cybersecurity company RiskIQ but attacks have grown rampant over the past two years when big-name companies were hit - British Airways, Ticketmaster, OXONewegg.

Since then, automated systems tuned specifically to detect this type of threat found hundreds of thousands of websites that on checkout pages malicious JavaScript designed to steal card data from shoppers.

200 alerts sent, no reply

Using freely available tools and some elbow grease, security researcher Max Kersten was able to compile a list of 1,236 domains that were hit by a web skimmer hosted on an external domain.

He started with one domain that hosted a skimmer and the Urlscan.io website scanning service. This allowed searching for a time when the skimmer domain changed in the infection chain.

“Repeating this process results in a list of all the exfiltration domains in the chain until it either breaks or the search is stopped. Additionally, one can recursively query every affected domain to search for other skimmer domains” - Max Kersten

Most of the domains included in the research are already available from other sources, since this one-man effort took some time to reach a conclusion.

Kersten says that his goal is to add to those publicly available resources from companies (RiskIQ, Sansec, Group-IB, Malwarebytes, Trustwave) and other researchers (Willem de Groot, Jérôme Segura, Affable Kraut, Jacob Pimental, and Mikhail Kasimov) on domains hosting JavaScript code for stealing payment card info.

Although the data is about two to three weeks old, the researcher believes the results should be roughly the same at this time. The fact that he received no reply to the 200 notifications he sent to website owners or administrators adds to this speculation.

In the list he provides, the latest detection date for some domains is from 2018. This could mean that they are no longer infected or were no longer checked through URLio.

The endeavor to email all 1,236 companies was stopped by Google’s spam detection since Kersten’s messages were exactly the same, save for the affected domain name and the skimmer detection timestamp.

Main suspect: MageCart Group 12

The methodology used for this research is in no way tracking all MageCart infections but shows that independent work can uncover a pretty large number of affected online stores.

Kersten found affected domains by using a scanner he made to parse and store results from Urlscan.io’s API and several rules that detected the malicious JavaScript. He then removed incorrect and double entries and subdomains that would have affected the final set of unique domains.

For the most part, the results from this effort track partial activity from MageCart Group 12, which is considered a more advanced threat actor in the web skimming business.

Kersten told BleepingComputer that the confidence level in attributing infections to this group increases proportionally to the freshness of the detection date.

In a report published on his blog, the researcher says that 70% of the online stores compromised in a MageCart attack could be pinged when he checked if they were reachable.

This only indicates that they’re no longer feeding cybercriminals with credit card info but shoppers were affected at one point.

Also, some of them were still under development, as indicated by the generic Lorem Ipsum placeholder text in “about” pages. Despite this, they did engage in commercial activity.

“Note that not all infections within the data set loaded the actual skimmer, as the skimmer domain could have been either unreachable or taken down. This is favourable for the shopping customer, but the infection on the web shop was still present, as the request was recorded“ - Max Kersten

Most affected shops are in the U.S.

As for the categories of products sold on compromised websites and geographical regions, the researcher spent five evenings to check them manually.

Food-related shops, services, adult items, and miscellaneous products are the main categories, along with an “unknown” segment that stands for shops that were not accessible or found in other sources.

Based on Kersten’s research, the country with the most shops impacted by MageCart is the U.S., while individual countries in Europe seem to be the least affected, as the U.K. is in the lead with just 68 shops:

  1. US (303)
  2. Unknown (280)
  3. IN (79)
  4. UK (68)
  5. DE (50)
  6. AU (47)
  7. BR (46)
  8. FR (34)
  9. IT (31)
  10. NL (28)
  11. CA (23)
  12. ES (19)

The researcher provides in his post the full list of domains where a credit card skimmer was detected. Payment info of those that shopped on those sites between the provided time interval is likely compromised. If the card has not expired, it would be a good idea to check for account balance inconsistencies and ask the issuing bank for a new one.

Related Articles:

Fraud network uses 4,700 fake shopping sites to steal credit cards

HIBP notifies 57 million people of Hot Topic data breach

Over a thousand online shops hacked to show fake product listings

Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks