Security Market Segment LS
Monday, 07 October 2019 09:24

Magecart attacks have crossed 2m mark, RiskIQ claims

Magecart attacks have crossed 2m mark, RiskIQ claims Image by teguhjati pras from Pixabay

A cyber crime syndicate known as Magecart, which is made up of dozens of sub-groups that indulge in credit card theft by skimming online payment forms, has been found to be implicated in more than two million such attacks.

The security firm RiskIQ said, in a report released on Saturday, that among the 2,086,529 attacks, it had detected 18,000 hosts that were directly breached.

The report, titled MageCart: The State of a Growing Threat and written by the company's threat researchers Jordan Herman and Yonathan Klijnsma, said Magecart had been active for nearly a decade with RiskIQ's first observations about it being on 8 August 2010.

In reply to queries from iTWire, Herman said RiskIQ used the term Magecart as an umbrella term to describe a particular kind of cyber crime.

"[This is} the injection of skimmer code onto e-commerce websites with the intent of stealing credit card and other personal information," he said. "In the past, we limited this moniker to six discrete criminal groups, but, while we still track a number of specific groups carrying out this type of cyber crime, the proliferation of Magecart means that there are more persons involved in this activity than it is practical for us to enumerate."

malvertisements magecart

Asked to cite the reasons for the increase in Magecart attacks, Herman there were several causative factors.

"Firstly, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later," he said.

"This dynamic is exacerbated when a vendor is small and lacks resources for extensive QA or other security protections. Specific to the Magecart threat, we see this in the focus of some groups on attacking small third-party vendors as a means to gain access to larger, better-resourced organisations."

Herman said that secondly, it was often the case that types of cyber crime continued to proliferate, evolve, and increase for years after they were identified and became well known.

"For example, ransomware has been well known for years and several extremely widespread attacks have demonstrated the need to protect against it and mitigate its effects through security practices, such as proper back-up procedures, yet we continue to see devastating attacks against municipalities such as Baltimore.

length of magecart breach

"That is to say, often attack vectors are developed and implemented by a few people. After the efficacy of the attack is demonstrated, other cyber criminals adopt it, alter it, and use it against new targets. With Magecart attacks, in particular, we have seen an evolution of skimming techniques over time."

Herman said at the moment one could observe a wide range of competence and targeting from different groups carrying out Magecart attacks.

"For example, the attacks on British Airways and Newegg were carried out by a group that specifically targeted these organisations, created bespoke skimmers and C2 domains for their attacks, and carried out those attacks with a high level of technical skill. In comparison, the recent attacks on open Amazon S3 buckets were carried out by a group that did no targeting and inserted their skimmer, which was a copy of another group’s skimmer, into any JS script found on an open bucket, demonstrating low levels of effort/skill."

He said while identifying attack vectors or techniques and disseminating that information was an important part of threat response, it was not enough.

"It is the responsibility of every organisation to work to protect themselves and their customers from these threats and to mitigate any potential effects of attacks that are successfully carried out. That is why RiskIQ works with our clients and other organisations. we have seen affected by Magecart attacks (for instance, we worked with Amazon to help them identify open S3 Buckets and to communicate with the organisations that owned those buckets and get them closed and the skimmer code removed) to help them understand what happened, why, when, and how so that they can protect themselves in the future."

Asked whether it was safe to conclude that convenience was generally the enemy of security, with the former being sought by the tech industry at the expense of the latter, Herman responded: "As I mentioned above, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later."

Some key points in the report:

  • Seventeen percent of all Malvertisements detected by RiskIQ contain Magecart skimmers;
  • The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely;
  • Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts;
  • Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains; and
  • Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that's gone offline to assume access to these breached sites.

The full report can be downloaded here after registration.

Graphics: courtesy RiskIQ

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News