- Gemini discovered that the “Keeper” Magecart group, which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains, has targeted over 570 victim e-commerce sites in 55 different countries from April 1, 2017 until the present. The Keeper exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites.
- Over 85% of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide. The country hosting the largest selection of these victim e-commerce sites was the United States, followed by the United Kingdom and the Netherlands.
- Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards.
- The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations. Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.
In mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses in the United States as well as the rest of the world. Operating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves e-commerce merchants vulnerable to a variety of different attack vectors. Over the past six months, the Gemini team has uncovered thousands of Magecart attacks ranging from simple dynamic injection of malicious code using a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images. The criminals behind this threat constantly evolve and improve their techniques to prey on unsuspecting victims who do not emphasize domain security.
As has been previously reported, there are numerous stand-alone Magecart groups that actively use unique methods to target hundreds and thousands of e-commerce sites yearly. One such group was responsible for compromising a Volusion CMS, in turn infecting over 6,000 e-commerce sites with payment card-stealing scripts for nearly a month in the third quarter of 2019.
The Keeper group, much like many other Magecart groups, attempted to disguise its malicious attacker domains as legitimate services, or, in this case, even legitimate sites. Several of the attacker domains attempted to closely imitate legitimate site names by changing the top-level domain or several characters within the domain name. For example, the attacker domain closetlondon[.]org attempted to imitate closetlondon.com. In addition to imitating legitimate site names, this group also attempted to imitate popular website plugins and payment gateways.
Gemini determined that Keeper’s exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites. Below is an example of how a dedicated server is used to host Magecart infrastructure responsible for collecting compromised card data from numerous e-commerce domains.
Over 85% of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide. The country hosting the largest selection of these victim e-commerce sites was the United States, at 28%, followed by the United Kingdom and the Netherlands.
Through the analysis of the dedicated server and numerous hosted exfiltration and attacker domains, Gemini was able to identify over 570 individuals attacks on numerous e-commerce sites across the world that occurred between April 2017 and the present (see Appendix C). By analyzing victim domains and the payload scripts that were used to infect them, analysts discovered the evolution of obfuscation and data collection methods.
- April 1, 2017: One of the initial attacks was carried out against dressedinwhite.com through the attacker domain js-storage[.]click. The Keeper group utilized public obfuscation methods, which made it simple to decode. The JS payload was created to focus primarily on two specific payment card data fields (card number and expiration date), but also to gather all other available fields on the checkout page.
- August 9, 2018: The online bicycle merchant milkywayshop.it was infected by the attacker domain dobell[.]su. The malicious JS payload was hiding in plain sight and did not have any private or public obfuscation and displayed the payload in cleartext. The payload collected all of the data from the fields commonly seen on the checkout page, such as card data, billing information, and additional personally identifiable information (PII).
- November 26, 2018: From November 2018 to the present, the threat actors have used custom obfuscation methods. This was first identified in the infection of casterdepot.com. The JS payload was injected by the attacker domain swappastore[.]com and collected information from all commonly seen fields on the checkout page, such as card data, billing information, and additional PII.
- January 6, 2019: The attacker script was modified and it appeared to be much cleaner and more concise with no displayed line breaks. This was seen in the infection of nomin.net by the attacker domain scriptvault[.]org. The Keeper group currently uses this format for its payloads and denotes specific payment card, billing address, and additional information fields that it collects.
During the analysis of an ongoing infection in one of the victim URLs, fiushafashion.com, Gemini conducted a test transaction with fictitious data and decrypted, then decoded the malicious payment request. Gemini analysts noted that the payment card data, billing information, additional PII, and source URL were exfiltrated to the Keeper exfiltration domain assetstorage[.]net.
During the historical analysis of the Keeper group, Gemini uncovered an unsecured access.log on the Keeper control panel on April 24, 2019. This access log stored 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. This likely indicated the total number of cards collected from numerous Keeper infections during this time period. Based on the provided number of collected cards during a nine-month window, and accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards. Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from stealing and selling compromised payment cards in its full lifespan.
The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries. Gemini analyzed the size of the victims’ sites using Amazon’s Alexa Rank, which generates a basic score based on daily unique visitors and the number of pageviews. Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor. The table below provides several examples of the most affected merchants with top Alexa Global Ranking (meaning more traffic per website).
|alkaramstudio.com||February 2018||Pakistan-based clothing store|
|arb.co.za||December 2019||South Africa-based electrical wholesaler|
|cwspirits.com||April 2020||US-based premier wine and spirits seller|
|ejohri.com||February 2020||India-based online jewelry store|
|hirschs.co.za||April 2018||South Africa-based appliance and electronics store|
|ibox.co.id||December 2019||Indonesia-based Apple product reseller|
|discountmugs.com||September 2018||US-based custom promotional product store|
The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations. It has verifiably compromised hundreds of domains and likely extracted payment card information from many more that have yet to be uncovered. With revenue likely exceeding $7 million and increased cybercriminal interest in CNP data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable. Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.
Appendix A: List of 64 unique Keeper attacker domains.
Appendix B: List of 73 exfiltration domains that Keeper used to extract stolen payment card data.
Appendix C: List of 570 compromised victim domains infected by Keeper.
Gemini Advisory Mission Statement
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.