Infamous card-skimming malware Magecart is still out there – and the latest campaign has affected at least 17,000 domains so far, according to threat intel biz RiskIQ.
Head researcher Yonathan Klijnsma told The Register there are still around 15 active Magecart-employing cybercrime groups that RiskIQ is aware of.
With the average Magecart breach lasting 22 days, RiskIQ said, the threat posed by the malware is still strong.
It's never good when 'Magecart' and 'bulletproof' appear in the same sentence, but here we areREAD MORE
Similarly, Magecart was used to compromise British Airways last year as well, leveraging custom, targeted infrastructure to swipe the credit and debit card details of 380,000 people.
On top of that, according to RiskIQ's latest report, around 17 per cent of malware-laden ads examined by the firm also contained Magecart skimmers. Shopping platforms such as Magento and Opencart are said to be the "lifeblood" of Magecart-using crooks, allowing them an easily compromisable attack vector.
So far the threat intel firm has detected 573 command-and-control domains, with more than 9,000 hosts "observed loading [command-and-control] domains".
Terry Bishop, RiskIQ's EMEA tech director, also told The Register that in one instance of a Magecart infection, it took an hour between the infection (as detected by file changes on the targeted server) and the initial exfiltration of customer data. However, in more complex cases, the criminals infiltrate enterprise infrastructure and spend weeks mapping it out and planning their next moves.
Klijnsma added that tracking some of the threat actors using Magecard was sometimes easier thanks to their reuse of recognisable code and other fingerprintable techniques. ®