A Magecart Skimming Operation Went Undetected for 30 Months

• Researchers unearth a Magecart skimming operation that has been active for 2.5 years now.
• The target platform is a magazine printing firm, so the victims are magazine subscribers in the United States.
• The platform has failed to respond to the notices, so the key-loggers are still running on the payment webpages.

Researchers from “Sanguine Security” discovered a record-breaking Magecart skimming operation that has been active since August 2017. The victims of this extensive operation are subscribers of the printed version of the ESPN Magazine (discontinued in 2019), the “Stars and Stripes” military publication, and various others served by the same printing platform. The researchers have identified at least 18 distinct keyloggers that fed data to various hacking groups, while many of them were active concurrently in some cases. The 30 months for which the operation lasted make this the longest ever Magecart skimming operation to be discovered.

The first skimmer that was deployed belonged to the “webstatvisit.com” family and kept stealing payment data until February 1, 2019. Then, the actors replaced it with a new one who was able to exfiltrate user keystrokes to “http://jackhemmingway.com/editonepost.com/gate.php”. The Magecart actors switched to different collecting points several times, as described in detail below:

• 3rd Apr 2019: http://joyjewell.com/gate.php
• 30th Apr 2019: https://thefei.com/usballiance.org/admin/gate.php
• 5th May 2019: https://thefei.com/boomerlifestage.com/admin/gate.php
• 21st July 2019: http://bizlawyer.org/cg-bin/gate.php

The “gate.php” is a widely-used sniffer kit that sells for $950 on the dark web and is unquestionably a mark of Magecart operations. In the months that followed, the actors changed skimmers many times, reaching a total of seven versions, with some running simultaneously for a couple of weeks. Potentially, the goal of this was to accommodate various hacking groups, as well as to rush stolen data to darknet marketplace listings.

Sanguine Security has tried to contact the printing platform multiple times already, but they are yet to receive a response from them. This means that they are still infected with the skimming scripts and that the people who have had their payment data stolen have received no notice about it. If you have bought a subscription to the ESPN Mag or the “Stars and Stripes”, you may want to check your bank account and review all transactions carefully.

Magecart is a continuous and ever-intensifying problem that is mostly in the hands of the website owners to solve. That said, people should be careful with whom they share their payment data and use electronic payment methods over card-based ones. Also, install a network security suite from a trusty vendor that can detect these skimming scripts and warn you when you visit a webpage that’s hiding them.