{"id":15964,"date":"2019-08-01T08:10:14","date_gmt":"2019-08-01T16:10:14","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/08\/01\/news-9708\/"},"modified":"2019-08-01T08:10:14","modified_gmt":"2019-08-01T16:10:14","slug":"news-9708","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/01\/news-9708\/","title":{"rendered":"No summer break for Magecart as web skimming intensifies"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 01 Aug 2019 15:00:00 +0000<\/strong><\/p>\n

This summer, you are more likely to find the cybercriminal groups Magecart client-side<\/a> rather than poolside. <\/p>\n

Web skimming, which consists of stealing payment information directly from within the browser, is one of today’s top web threats. Magecart, the group behind many of these attacks, gained worldwide attention with the British Airways and TicketMaster breaches, costing the former \u00a3183 million ($229 million) in GDPR fines<\/a>.<\/p>\n

Skimmers, sniffers, or swipers (all valid terms used interchangeably over the years) have been around for a long time and fought against mostly on the server side by security companies like Sucuri<\/a> that perform website remediation.<\/p>\n

Today, web skimming is a booming business comprised of numerous different threat groups, ranging from mere copycats to more advanced actors. During the past few months, we have witnessed a steady increase in the number of hacked e-commerce sites and skimming scripts. In this post, we share some statistics on web skimming based on our telemetry, as well as what Malwarebytes is doing to protect online shoppers from this threat.<\/p>\n

65K theft attempts blocked in July<\/h3>\n

During the past few months, we have been observing a growing number of blocks related to skimmer domains and exfiltration gates. This activity drastically increased as the summer rolled out, most notably with peaks around July 4 (Figure 1).<\/p>\n

\"\"<\/a>
Figure 1: Web blocks for skimmer domains and gates recorded in our telemetry<\/figcaption><\/figure>\n

In the month of July alone, Malwarebytes blocked over 65,000 attempts to steal credit card numbers via compromised online stores. Fifty-four percent of those shoppers were from the United States, followed by Canada, with 16 percent and Germany with 7 percent, as seen in Figure 2.<\/p>\n

\"\"<\/a>
Figure 2: Top 10 countries for Magecart activity in July<\/figcaption><\/figure>\n

In addition to a greater number of compromised e-commerce sites (which often times have been injected with more than one skimmer), we also documented large and ongoing spray and pray attacks on Amazon S3 buckets<\/a>.<\/p>\n

Many skimmers, too many groups<\/h3>\n

Skimmer code can help to identify the groups behind them, but it is becoming increasingly difficult to do so. For instance, the Inter kit that is sold underground is used by different threat actors, and there are many copycats reusing existing code for their own purpose as well.<\/p>\n

\"\"<\/a>
Figure 3: Fragments from different skimmer scripts <\/figcaption><\/figure>\n

Having said that, skimmers typically have a similar set of functionalities:<\/p>\n