The security firm RiskIQ said, in a report released on Saturday, that among the 2,086,529 attacks, it had detected 18,000 hosts that were directly breached.
The report, titled MageCart: The State of a Growing Threat and written by the company's threat researchers Jordan Herman and Yonathan Klijnsma, said Magecart had been active for nearly a decade with RiskIQ's first observations about it being on 8 August 2010.
In reply to queries from iTWire, Herman said RiskIQ used the term Magecart as an umbrella term to describe a particular kind of cyber crime.
Asked to cite the reasons for the increase in Magecart attacks, Herman there were several causative factors.
"Firstly, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later," he said.
"This dynamic is exacerbated when a vendor is small and lacks resources for extensive QA or other security protections. Specific to the Magecart threat, we see this in the focus of some groups on attacking small third-party vendors as a means to gain access to larger, better-resourced organisations."
Herman said that secondly, it was often the case that types of cyber crime continued to proliferate, evolve, and increase for years after they were identified and became well known.
"For example, ransomware has been well known for years and several extremely widespread attacks have demonstrated the need to protect against it and mitigate its effects through security practices, such as proper back-up procedures, yet we continue to see devastating attacks against municipalities such as Baltimore.
"That is to say, often attack vectors are developed and implemented by a few people. After the efficacy of the attack is demonstrated, other cyber criminals adopt it, alter it, and use it against new targets. With Magecart attacks, in particular, we have seen an evolution of skimming techniques over time."
Herman said at the moment one could observe a wide range of competence and targeting from different groups carrying out Magecart attacks.
"For example, the attacks on British Airways and Newegg were carried out by a group that specifically targeted these organisations, created bespoke skimmers and C2 domains for their attacks, and carried out those attacks with a high level of technical skill. In comparison, the recent attacks on open Amazon S3 buckets were carried out by a group that did no targeting and inserted their skimmer, which was a copy of another group’s skimmer, into any JS script found on an open bucket, demonstrating low levels of effort/skill."
He said while identifying attack vectors or techniques and disseminating that information was an important part of threat response, it was not enough.
"It is the responsibility of every organisation to work to protect themselves and their customers from these threats and to mitigate any potential effects of attacks that are successfully carried out. That is why RiskIQ works with our clients and other organisations. we have seen affected by Magecart attacks (for instance, we worked with Amazon to help them identify open S3 Buckets and to communicate with the organisations that owned those buckets and get them closed and the skimmer code removed) to help them understand what happened, why, when, and how so that they can protect themselves in the future."
Asked whether it was safe to conclude that convenience was generally the enemy of security, with the former being sought by the tech industry at the expense of the latter, Herman responded: "As I mentioned above, software development that takes security into consideration over sales timelines/goals is the exception, not the rule, and most software releases contain vulnerabilities that will need to be patched later."
Some key points in the report:
- Seventeen percent of all Malvertisements detected by RiskIQ contain Magecart skimmers;
- The average length of a Magecart breach is 22 days with many lasting years, or even indefinitely;
- Shopping platforms such as Magento and OpenCart are the lifeblood of many Magecart groups. RiskIQ has detected 9,688 vulnerable Magento hosts;
- Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains; and
- Because Magecart skimmers stay on websites for so long, threat actors are purchasing Magecart infrastructure that's gone offline to assume access to these breached sites.
The full report can be downloaded here after registration.
Graphics: courtesy RiskIQ