Posted on July 9, 2020 at 7:16 PM
Over the past three years, more than 570 online e-commerce portals have been breached by a hacking group known as “Keeper.”
A recent report revealed that the Keeper group broke into the online store backend, changed their source code, and placed malicious scripts which logged payment card details online shoppers used to make purchases.
The kind of attack is known to cybersecurity firms as “Magecart,” e-skimming, or web skimming. The Magecart name was culled from the first hacker group that used the web skimming tactics.
Keeper Syndicate has been active since 2017
Security researchers revealed that the Web skimming hacking syndicate has been active since April 2017.
Threat Intelligence firm Gemini Advisory published a report today, saying that the Keeper hacking group has been operating since April 2017, sand its presence in the Web skimming is still widely seen today.
Gemini revealed that it tracked the activities of the Keeper because the group utilized similar identical control panels for the backend server where they retrieve payments card details from compromised stores.
The security outfit said it fingerprinted the backend panel and tracked all the historical activities of the Keeper. The activities include the malicious URLs used in hosting their hacking infrastructure sand the addresses of past backend panels.
It also included a list of previously compromised online stores where Keeper placed its malicious scripts.
Gemini pointed out that about 85 percent of the 570 hacked stores wiser run using the Magento e-commerce platform. Many of the stores were small to medium-sized operations.
Most affected sites were small and medium-scale sites
According to the traffic rankings of Amazon’s Alexa, Gemini revealed that most of the stores were small-scale operations, but the hacking group also infiltrated some popular names.
Some of the sites have up to a million monthly visits. Gemini provided a list of the big sites Keeper hacked on its report.
Additionally, the Gemini Advisory team revealed that during the investigation on the hacking infrastructure of the group, it discovered that the Keeper did not properly secure one of their backend panels, where the hacker sands payment card details retrieved from online stores.
Gemini also pointed out that it was sable to collect logs from the leaky backend containing about 2184,000 payment details that the Keeper hacking group has stolen from July 210218 to April last year.
With the present web market price of $10 for a single compromised CNP (Card Not Present Card), Gemini estimates that the hacking syndicate has accumulated more than $7 million from the theft and marketing of compromised payment cards since the group began operations.
The Gemini SAdvisaory has the complete list of the entire 570 sites the hacking group has been able to infiltrate. The Keeper hacking group has other names known to other security research teams. The group is also known as JS-Sniffers 4., CoffeeMokko, or Magecart Group #8 [1, 2].
Recorded Future, a top cybersecurity outfit, recently announced that it had acquired a minority stake in Gemini.
This year, attacks on Magecart have been occurring almost daily, affecting mostly small and medium-scale e-commerce businesses.
E-commerce merchants are exposed to a variety of different attack vectors when they operate on an outdated content management system, have compromised administrators through sequel injections, or utilize unpatched add-ons. These merchants leave themselves exposed to hacking groups who are always ready to take every opportunity to infiltrate systems, steal important details, and make profits from their loots.
Hacking groups have evolved over the years
But the Gemini team has been tracking these hackers, particularly the Keeper hacker. Presently, the security firm has uncovered several thousands of Magecart attacks. The Magecart hackers and attackers used different strategies, but all the strategies are aimed at achieving one goal, which is stealing credit card information to market them on the dark web to make financial gains.
However, criminals are not easy to track down. Gemini Advisory said they always improve on the strategies and evolve a lot to attack unsuspecting victims who do not take domain security very seriously.