The global pandemic has seen a massive surge in online shopping and service use. Unfortunately, it’s also seeing a significant increase in client-side cyber-attacks and a report from Gemini Advisory has stated that the “Keeper” Magecart Group targeted at least six South African eCommerce websites as part of a battery of cyber-attacks conducted between 1 April 2017 and 7 July 2020.
Globally, 570 online shops in 55 different countries were targeted with the aim of infecting their websites with malicious software to steal personal data. In some instances, this included payment card information.
Gemini said that as part of its investigation, it discovered that the “Keeper” Magecart group consists of an interconnected network of 64 attacker domains and 73 exfiltration domains.
“The Keeper exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites,” Gemini stated.
While over 85% of the victim sites operated on the Magento CMS, the attackers also targeted sites running WordPress (5.5%), Shopify (4.2%), BigCommerce (2.0%), and PrestaShop (0.5%).
Out of the 55 countries represented in Gemini’s investigation, South Africa had the 16th highest number of compromised domains. The countries which saw the most infections were the United States, United Kingdom, and the Netherlands, France, and India.
“Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019,” the advisory said.
“Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present card, this group has likely generated upwards of $7 million from selling compromised payment cards.”
Gemini said that the Keeper Magecart group has been active for three years and has continually improved its technical sophistication and the scale of its operations.
“Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.”
South African Websites Compromised
The following table summarizes the six South African websites included in Gemini’s report.