Cyber Threat Actor: MageCart Group 4
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
The threat actor known as MageCart Group 4 operates under that alias and has been publicly linked to activity originating from the United States of America. This designation groups together a set of intrusion incidents where the actor deployed web‑based skimming scripts to capture payment data. Public reporting identifies the actor by the MageCart Group 4 label in threat intelligence feeds. No alternative names have been disclosed in the source material.
The actor’s observed targeting has focused on online retail environments that process customer payment information. In the November 2018 incident against the National Baseball Hall of Fame, the attacker compromised the institution’s e‑commerce storefront. The compromise allowed the insertion of malicious code into the checkout page where customers entered names, addresses, and credit or debit card details including CVV codes. The script was designed to harvest this data as it was submitted by users. The activity affected only transactions conducted over the Hall of Fame’s website during a roughly six‑month window.
The malicious payload used in the Hall of Fame breach is characterized as a MageCart‑type web skimmer that mimics legitimate analytics scripts to avoid detection. The actor’s tooling consists of JavaScript snippets that are injected into vulnerable web pages and configured to monitor form fields for payment data. Exfiltration occurs via HTTP requests to a domain previously associated with similar MageCart campaigns, linking the script to known malicious infrastructure. The initial access vector is not detailed in the source material, but the result was the presence of the skimmer on the checkout page. After the skimmer was discovered it was found to be inactive, yet the associated domain remained tied to earlier attacks.
Public attribution does not connect MageCart Group 4 to any state‑sponsored program or known criminal consortium; the actor remains classified as a financially oriented cybercrime group based solely on observed behavior. The Hall of Fame breach serves as a representative example of the actor’s capability to deploy persistent web skimmers against poorly secured online stores. No further campaigns are described in the provided material, limiting the profile to this single verified incident. The actor’s activity highlights the ongoing threat posed by client‑side skimming techniques to entities that handle payment card information over the web.
