Show vulnerabilities with patch / with exploit
9 July 2020

“Keeper” Magecart group infected over 570 online shops since 2017


“Keeper” Magecart group infected over 570 online shops since 2017

A group of hackers known as “Keeper” has been engaging in Magecart-style attacks aimed at stealing credit card data of online shoppers. Over the last three years the group targeted more than 570 e-commerce websites generating estimated $7 million from selling stolen credit cards, according to a new research from Gemini Advisory.

Active since 2017, the Keeper group operates an interconnected network of 64 attacker domains and 73 exfiltration domains. These domains were used to retrieve user credit card data from multiple e-commerce sites located across 55 countries. The exfiltration and attacker domains use identical login panels and are linked to the same dedicated server which hosts both the malicious payload and the exfiltrated data stolen from victim sites.

Like many other Magecart groups, Keeper attempts to masquerade their malicious domains as legitimate services, as well as popular website plugins and payment gateways. According to the report, the malicious actors primarily targeted websites running the Magento CMS (85%) with the largest percentage of victims located in the United States (28%) closely followed by the United Kingdom and the Netherlands.

Ironically, during the investigation into Keeper's web skimming attacks the researchers discovered an unsecured access.log on the attackers' control panel, which stored 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. Based on this nine-month window the researches estimate that since April 2017 the group has likely amassed close to 700,000 compromised cards.

“The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations. It has verifiably compromised hundreds of domains and likely extracted payment card information from many more that have yet to be uncovered. With revenue likely exceeding $7 million and increased cybercriminal interest in CNP data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable. Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world,” the researchers concluded.

Back to the list

Latest Posts

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020
Maze operators published dozens of GBs of data from LG and Xerox

Maze operators published dozens of GBs of data from LG and Xerox

Stolen information may include Xerox support records and source code for the firmware of various LG products.
4 August 2020