Cyber Threat Actor: Magecart
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
18 incidents |
|---|
Profile
Magecart, also tracked as Magecart Group or Group 148, is a threat actor known for conducting web‑based skimming operations that target online payment processes. Open‑source reporting associates the group with a Russian origin, although no direct state sponsorship has been publicly confirmed. The actor’s primary focus is on compromising e‑commerce sites, payment‑related web applications, and any web‑facing service that handles cardholder data, as demonstrated by attacks on retailers selling e‑cigarettes, jewelry, tickets, and municipal payment portals. The consistent goal across these intrusions is the illicit collection of credit‑card numbers, expiration dates, CVV codes, and associated personal information for financial gain.
The group’s typical technique involves injecting malicious JavaScript into legitimate site resources, often by compromising third‑party libraries, exploiting misconfigured cloud storage, or directly altering checkout page code. Observed payloads are heavily obfuscated, dynamically loaded from attacker‑controlled domains, and designed to activate when users enter payment‑related fields, capturing form data before it is submitted to the legitimate processor. Exfiltration methods vary, with examples including HTTP POST to spoofed service domains, use of a Telegram bot for data transfer, and DNS‑like requests to attacker‑run servers. The actor frequently leverages trusted‑looking infrastructure, such as domains mimicking legitimate services (e.g., a ZenDesk‑look‑alike or a Slippry library), to evade detection and prolong the skimming window.
Attribution to a Russian‑based operator appears in multiple threat‑intel reports, but public sources do not tie the group to any specific government agency or criminal consortium. Representative campaigns illustrate the actor’s reach: the 2022 compromise of an e‑cigarette retailer that used a Telegram bot to exfiltrate stolen card data; the 2022 Emma Matratzen incident where a skimmer harvested data from nearly 100 000 customers across twelve countries; the 2020 Twilio SDK breach resulting from a publicly accessible AWS S3 bucket that allowed malicious code injection into a widely distributed JavaScript library; and the 2019 Smith & Wesson online store attack that employed a dynamically loaded script targeting non‑Linux, non‑AWS users. These examples show the actor’s ability to adapt to different technologies while maintaining a consistent focus on stealing payment information for monetary profit.
