Security researchers have uncovered a Magecart group that has infected over 570 e-commerce sites around the world over the past three years, enhancing its scale and sophistication over this time.
The “Keeper” group was identified and named by Gemini Advisory in reference to the domain (fileskeeper[.]org) which was used to inject malicious digital skimming JavaScript and to receive stolen card data.
However, in total the firm found a network of 64 attacker domains associated with the group which were used to deliver malicious payloads, and a further 73 exfiltration domains used to receive stolen payment card data.
These domains were usually registered to look like legitimate ones, such as popular website plugins and payment gateways, in order to stay under the radar.
As is the norm, the group went after smaller e-commerce sites in the hope that they were less well-defended. However, some of these online stores still garnered over 500,000 visitors per month.
Over 85% of victims were operating the popular Magento CMS, with the largest number (28%) located in the US, followed by the UK and the Netherlands. However, victims from a total of 55 countries were affected.
During its analysis, Gemini discovered an unsecured access log on its control panel, which provided further insight into the scope of the campaign.
“This access log stored 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. This likely indicated the total number of cards collected from numerous Keeper infections during this time period,” it explained.
“Based on the provided number of collected cards during a nine-month window, and accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards. Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7m from stealing and selling compromised payment cards in its full lifespan.”