Infamous MageCart group observed employing improved tactics

• Tools employed by MageCart now had fewer lines of code and were constantly updated with new features.
• The group mainly incorporated RSA public/private key cryptography to boost its data exfiltration techniques.

The MageCart group, known for its credit card information-stealing campaigns, has upped the ante with respect to its tactics.

Security firm RiskIQ, which conducted an in-depth investigation of the threat group, found that the skimmers employed by MageCart were constantly updated with new features to steal payment related information. A blog by the firm on MageCart “Group 4” detailed how the group transformed with their actions.

Worth noting

• According to the blog, MageCart now puts five domains on one IP address to avoid overlap between different IPs.
• Group 4 deployed a variety of JavaScript libraries. Earlier, it restricted to a single library.
• It has also pooled ten sequential IPs to five different hosters to minimize the damage from server takedowns.
• When it came to their skimmers, their exfiltration methods were more simplified.
• RSA public/private key cryptography is the latest norm incorporated for data encryption.

The big picture - MageCart group also has refined its skimmers’ software structure. The code in the skimmer is more efficient than earlier versions.

“The previous version of Group 4’s skimmer wasn’t actually a skimmer—it was an overlay payment phishing system. However, in the updated version, they are skimming existing payment forms instead of building up their own payment forms. Group 4’s skimmer now goes through page forms and pulls out the payment data, which significantly reduced the skimmer from over 1,500 lines of code to a little over 150 lines,” indicated RiskIQ’s blog.

RiskIQ, in collaboration with another firm Flashpoint, has also released a comprehensive report detailing how the group has reorganized to perpetuate their attacks for the coming years.