RiskIQ Researchers Track Ecommerce Threat, Discover Network of Threat Actors Reshipping Items Purchased with Stolen Cards
RealWire
Wed, 07/12/2017 - 13:04

In October of last year, the RiskIQ Threat Research team released "Compromised E-commerce Sites Lead to 'Magecart," a report profiling the e-commerce threat they discovered and dubbed 'Magecart,' which injects JavaScript code into e-commerce sites running outdated and unpatched versions of shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, these attackers capture large quantities of payment card information. 

Now, by following a new strain of Magecart, the team has discovered a direct link to the outcome of the stolen credit cards for threat actors, offering rare insight into the physical world operations of actors tied to digital threats. 

The Report, "Magecart Part II: From Javascript Injects to Reshipping for Financial Gain," highlights how threat actors targeting e-commerce sites cash out by reshipping items purchased with stolen cards via a physical reshipping company, operating with mules in the U.S. 

In light of the recent Krebs on Security blog post, which ties Magecart infrastructure listed in our original report to a credit card dumps website known as “Trump’s Dumps,” it’s clear that these actors have a diversified portfolio of rackets for monetizing their plunder.

"Magecart activity is still going strong, affecting new sites and continuing to register new domains to host the injected web skimmer scripts," said Yonathan Klijnsma, threat researcher at RiskIQ. "New insight into the sophisticated way these actors are monetizing their activities in the physical world shows the broadness of their scope of operations."