Closing in on MageCart 12

This is the fourth blog with details on the activities of MageCart 12. In this article, yet another part of their ongoing campaign is uncovered. The amount of infected sites for this campaign is higher than in the previous cases.

Before diving into the infected sites, and the rough duration of the infections, information regarding the skimmer itself will be given.

Modus operandi

The modus operandi for this campaign is slightly different when comparing it to the other research that has been published so far. The skimmer, hosted on jquerycdn.su, changed four times during the campaign. The earliest recorded date of a hacked site linking to the skimmer domain is on the 30th of September 2019, whereas the latest new infection date is the 19th of February 2020.

In the four versions of the skimmer that were used in this campaign, the used obfuscation method is the same as in the other reported campaigns. The first stage loads the actual skimmer script, which is polluted with garbage code. The skimmer itself is different, compared to the first versions. The skimmer grabs all fields from the page, rather than all forms. Although the approach and script are different, the general concept remains the same: obtaining credit card credentials.

The exfiltration domains are linked to other skimming campaigns from MageCart 12, like the one Marco Ramilli wrote about, as well as Jacob‘s blog.

Infected web shops

All but three affected web shops have been contacted via e-mail or their web form on the 21st of February 2020. For each of the three uninformed web shops, there is a note in the list with the reason why. Similar to previous cases, I did not receive any response back at the time of writing (which is the 25th of February 2020).

The given dates are based upon the data set I created. This set is, by definition, not 100% accurate. As such, the actual dates might slightly differ. Additionally, it is possible that a website was not infected for the complete time between the begin and the end date, but this information is not present in my data set.

The mentioned dates are based upon the most accurate information from the data set and limited to this skimmer domain. Some sites are infected with another domain that is operated by the same group. To avoid confusion and keep things clear, this has not been included in this post.

Note that the skimmer domain (jquerycdn.su) has been down for a few days at least. This means that several sites that are still infected, are currently not actively sharing credit cards with the criminal actors, but this is subject to change at any given moment.

The list below is ordered from the past until the present, meaning the oldest infections are listed first. The end date is not taken into account at the sorting.

Conclusion

If you have shopped at one of the mentioned sites around the infected period, it is suggested to contact your bank and request a new credit card. Also note that all information that was entered on the site’s payment form was stolen by the credit card skimmer and should be considered compromised.


To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.