“Keeper” Magecart Group Infects 570 Sites

July 7, 2020

Key Findings

  • Gemini discovered that the “Keeper” Magecart group, which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains, has targeted over 570 victim e-commerce sites in 55 different countries from April 1, 2017 until the present. The Keeper exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites.
  • Over 85% of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide. The country hosting the largest selection of these victim e-commerce sites was the United States, followed by the United Kingdom and the Netherlands. 
  • Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards. 
  • The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations. Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.

Background

In mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses in the United States as well as the rest of the world. Operating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves e-commerce merchants vulnerable to a variety of different attack vectors. Over the past six months, the Gemini team has uncovered thousands of Magecart attacks ranging from simple dynamic injection of malicious code using a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images. The criminals behind this threat constantly evolve and improve their techniques to prey on unsuspecting victims who do not emphasize domain security.

As has been previously reported, there are numerous stand-alone Magecart groups that actively use unique methods to target hundreds and thousands of e-commerce sites yearly. One such group was responsible for compromising a Volusion CMS, in turn infecting over 6,000 e-commerce sites with payment card-stealing scripts for nearly a month in the third quarter of 2019.  

While analyzing numerous Magecart attacks, Gemini successfully established a full link between an active Magecart group, its techniques, indicators of compromised (IOCs), evolving tactics, victims, and an estimated number of cards offered for sale. The Gemini team has named this group “Keeper” based on its repeated usage of a single domain called fileskeeper[.]org to inject malicious payment card-stealing JavaScript (JS) into the website’s HTML code, as well as receive compromised card data. Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads (see Appendix A) and 73 exfiltration domains used to receive stolen payment cards data from victim domains (see Appendix B). This network targeted over 570 victim e-commerce sites in 55 different countries from April 1, 2017 until the present.

Target map
Image 1: Keeper’s attacker domains, targets, and exfiltration domains affected 55 countries worldwide.

In-Depth Analysis

Keeper

The Keeper group, much like many other Magecart groups, attempted to disguise its malicious attacker domains as legitimate services, or, in this case, even legitimate sites. Several of the attacker domains attempted to closely imitate legitimate site names by changing the top-level domain or several characters within the domain name. For example, the attacker domain closetlondon[.]org attempted to imitate closetlondon.com. In addition to imitating legitimate site names, this group also attempted to imitate popular website plugins and payment gateways.

Gemini determined that Keeper’s exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites. Below is an example of how a dedicated server is used to host Magecart infrastructure responsible for collecting compromised card data from numerous e-commerce domains.

Image 2: Dedicated server hosting Magecart infrastructure designed to collect payment card data from target domains.
Image 3: Keeper utilized an identical login panel for all of its exfiltration URLs, which were connected to a single dedicated server.

Over 85% of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide. The country hosting the largest selection of these victim e-commerce sites was the United States, at 28%, followed by the United Kingdom and the Netherlands.

Image 4: List of compromised domains by country or territory.
Image 5: CMS distribution by victim sites.

Through the analysis of the dedicated server and numerous hosted exfiltration and attacker domains, Gemini was able to identify over 570 individuals attacks on numerous e-commerce sites across the world that occurred between April 2017 and the present (see Appendix C). By analyzing victim domains and the payload scripts that were used to infect them, analysts discovered the evolution of obfuscation and data collection methods.

  • April 1, 2017: One of the initial attacks was carried out against dressedinwhite.com through the attacker domain js-storage[.]click. The Keeper group utilized public obfuscation methods, which made it simple to decode. The JS payload was created to focus primarily on two specific payment card data fields (card number and expiration date), but also to gather all other available fields on the checkout page.
  • August 9, 2018: The online bicycle merchant milkywayshop.it was infected by the attacker domain dobell[.]su. The malicious JS payload was hiding in plain sight and did not have any private or public obfuscation and displayed the payload in cleartext. The payload collected all of the data from the fields commonly seen on the checkout page, such as card data, billing information, and additional personally identifiable information (PII). 
Image 6: Collected data field on the MilkyWayShop website. 
  • November 26, 2018: From November 2018 to the present, the threat actors have used custom obfuscation methods. This was first identified in the infection of casterdepot.com. The JS payload was injected by the attacker domain swappastore[.]com and collected information from all commonly seen fields on the checkout page, such as card data, billing information, and additional PII. 
Image 7: The custom obfuscation used in the malicious script targeting casterdepot.com. The decrypted string is on the right-hand side of the image.
  • January 6, 2019: The attacker script was modified and it appeared to be much cleaner and more concise with no displayed line breaks. This was seen in the infection of  nomin.net by the attacker domain scriptvault[.]org. The Keeper group currently uses this format for its payloads and denotes specific payment card, billing address, and additional information fields that it collects.
Image 8: The most recent format of the Keeper group’s malicious payload.

During the analysis of an ongoing infection in one of the victim URLs, fiushafashion.com, Gemini conducted a test transaction with fictitious data and decrypted, then decoded the malicious payment request. Gemini analysts noted that the payment card data, billing information, additional PII, and source URL were exfiltrated to the Keeper exfiltration domain assetstorage[.]net.

Images 9-11: Encrypted test payment request (top), decrypted and encoded test payment request (middle), and decrypted and decoded test payment request (bottom).

Total Revenue

During the historical analysis of the Keeper group, Gemini uncovered an unsecured access.log on the Keeper control panel on April 24, 2019. This access log stored 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. This likely indicated the total number of cards collected from numerous Keeper infections during this time period. Based on the provided number of collected cards during a nine-month window, and accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards. Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from stealing and selling compromised payment cards in its full lifespan. 

Targets

The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries. Gemini analyzed the size of the victims’ sites using Amazon’s Alexa Rank, which generates a basic score based on daily unique visitors and the number of pageviews. Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor. The table below provides several examples of the most affected merchants with top Alexa Global Ranking (meaning more traffic per website). 

DomainInfection DateDescription
alkaramstudio.comFebruary 2018Pakistan-based clothing store
arb.co.zaDecember 2019South Africa-based electrical wholesaler
cwspirits.comApril 2020US-based premier wine and spirits seller
ejohri.comFebruary 2020India-based online jewelry store
hirschs.co.zaApril 2018South Africa-based appliance and electronics store
ibox.co.idDecember 2019Indonesia-based Apple product reseller
discountmugs.comSeptember 2018US-based custom promotional product store

Conclusion

The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations. It has verifiably compromised hundreds of domains and likely extracted payment card information from many more that have yet to be uncovered. With revenue likely exceeding $7 million and increased cybercriminal interest in CNP data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable. Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.

Appendix A: List of 64 unique Keeper attacker domains.

Appendix B: List of 73 exfiltration domains that Keeper used to extract stolen payment card data.

Appendix C: List of 570 compromised victim domains infected by Keeper.

Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.

Gemini has analyzed the Magecart campaigns by the cybercriminal hacker group "Keeper" and determined its target e-commerce sites, malicious code, and exfiltration domains. It compromised 570 merchants and likely generated $7 million USD in revenue.

%d bloggers like this: