A group of hackers known as “Keeper” has been engaging in Magecart-style attacks aimed at stealing credit card data of online shoppers. Over the last three years the group targeted more than 570 e-commerce websites generating estimated $7 million from selling stolen credit cards, according to a new research from Gemini Advisory.
Active since 2017, the Keeper group operates an interconnected network of 64 attacker domains and 73 exfiltration domains. These domains were used to retrieve user credit card data from multiple e-commerce sites located across 55 countries. The exfiltration and attacker domains use identical login panels and are linked to the same dedicated server which hosts both the malicious payload and the exfiltrated data stolen from victim sites.
Like many other Magecart groups, Keeper attempts to masquerade their malicious domains as legitimate services, as well as popular website plugins and payment gateways. According to the report, the malicious actors primarily targeted websites running the Magento CMS (85%) with the largest percentage of victims located in the United States (28%) closely followed by the United Kingdom and the Netherlands.
Ironically, during the investigation into Keeper's web skimming attacks the researchers discovered an unsecured access.log on the attackers' control panel, which stored 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. Based on this nine-month window the researches estimate that since April 2017 the group has likely amassed close to 700,000 compromised cards.
“The Keeper Magecart group has been active for three years, over which time it has continually improved its technical sophistication and the scale of its operations. It has verifiably compromised hundreds of domains and likely extracted payment card information from many more that have yet to be uncovered. With revenue likely exceeding $7 million and increased cybercriminal interest in CNP data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable. Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world,” the researchers concluded.