MageCart Hacker Groups Began to Fight Each Other

MageCart Hacker Groups Began to Fight Each Other – Immediately two well-known information security specialist, Willem de Groot ( Willem de Groot ) and Jerome Segura from Malwarebytes ( Jérôme Segura ), found that the competition in the field of attacks MageCart is intensifying.

Let me remind you that MageCart attacks are also called web skimming, and with their help, attackers steal data from bank cards of users. The “handwriting” of criminals almost always looks like this: they crack a variety of websites, most often, these are shops based on popular CMS, which are broken through vulnerabilities in the CMS itself or its plugins. Then the criminals inject malicious JavaScript code into the payment pages (a kind of software skimmer), thus stealing financial data entered by users (bank card numbers, names, addresses, and so on).

Last week, analysts from RiskIQ and Flashpoint presented a joint report on the attacks of MageCart, in which they described the groups operating by such methods and their tactics. Experts stressed that in recent times, MageCart attacks have become a cover for many hacker groups and have listed seven of the most active and visible ones.

Now, Segura and de Groot have found that among the MageCart hackers, the struggle has begun for a “place in the sun.” If we use the terminology of RiskIQ experts who assigned sequence numbers to the groupings, it turns out that Group 9, which appeared on the scene recently, actively interferes with its competitors, in particular, the activities of Group 3, which attacks websites and payment systems in South American countries.

Experts say that Group 9 has added a special code to its “skimmer” that searches for domains related to competitors’ operations. When such domains are discovered, the Group 9 malware does not just interfere with competitors’ scripts, but comes more sophisticated and spoils the data that the Group 3 collects. Thus, the Group 9 skimmer interferes with what is happening and replaces the last figure in generating it randomly.

Segura suggests that in this way the members of Group 9 want not only to hinder the work of a competitor, but to spoil the reputation of Group 3. The fact is that after stealing bank card numbers are put up for sale on the black market, but at the same time Group 3 did not seem to suspect that part of her “product” was corrupted, and was selling invalid data. “Over time, buyers will realize that they bought non-performing bank cards, after which they no longer trust this seller,” Segura writes.

Currently, experts have found the “skimmers” of Groups 9 and 3 in the sports store Umbro Brazil, as well as in the cosmetic Bliv [.] Com.

Experts believe that further it will only get worse, because web skimming has already gained considerable popularity in criminal circles, and the clash between Groups 9 and 3 suggests that in the future competition in this area will only become tougher, because different skimming “sets” already available to everyone, with any level of training.


Leave a Reply