'Keeper' Group Targeted Payment Card Data on 570 SitesHackers Used Magecart-Style Web Skimmers Against Online E-Commerce Sites
A hacking group known as "Keeper" has been using Magecart-like web skimmers to target the online checkout sites and portals of hundreds of e-commerce sites in order to steal customers' payment card data, according to a report from security firm Gemini Advisory.
See Also: Unmasking BEC and EAC
Since at least 2017, the Keeper group has targeted approximately 570 online checkout sites, primarily those using the Magento e-commerce platform, belonging to small and midsized e-commerce firms with estimated losses at about $7 million, according to Gemini.
The researchers note that the majority of the victimized e-commerce sites are located in the U.S., the U.K. and the Netherlands, although the hacking group is suspected of targeting sites in 55 additional countries. And while the majority of the e-commerce sites were small, some were actively generating 500,000 to 1 million visitors each month, the report states.
"The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations," the Gemini report notes. "Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world."
Poor Operational Security
The Gemini researchers uncovered the Keeper group's operations when they discovered an unsecured access log that was part of the control panel used to host the stolen payment card data, according to the report.
By examining the unsecured access log, the researchers discovered approximately 184,000 compromised payment card numbers and other data stolen sometime between July 2018 and April 2019. This allowed the researchers to estimate that the hacking group may have compromised some 700,000 payment cards over three years, which would have resulted in losses of up to $7 million.
"Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present card, this group has likely generated upwards of $7 million," the report notes.
Magento Under Attack
Magento ended support for two earlier versions of its platform - Magento Commerce 1, formerly known as Enterprise Edition, and Magento Open Source 1, formerly known as Community Edition - on June 30, but the Gemini report did not state whether these versions were involved in the attacks. Adobe is recommending users upgrade to the latest versions.
How Keeper Works
"For example, the attacker domain closetlondon[.]org attempted to imitate closetlondon.com," according to the report.
The hacking group is also known to imitate popular website plugins and payment gateways to trick their victims, the researchers add. The researchers say they identified 64 malicious domains and 73 exfiltration domains that the Keeper operators managed as part of their attack infrastructure.
There are about 12 criminal groups that make up Magecart, some dating to 2014, according to security researchers.
One such attack in June saw jewellery and accessories retailer Claire's report that Magecart operators stole its customers' payment card data (see: Claire's: Magecart E-Commerce Hackers Stole Card Data).
Another aspect to Magecart came to light earlier this week when the Dutch security firm Sansec published a report tying the infrastructure used by some Magecart groups to North Korean hackers known as Lazarus or Hidden Cobra, which allegedly have ties to the government (see: North Korean Hacking Infrastructure Tied to Magecart Hits).