Nearly 600 online retailers hit with credit card-stealing malware — protect yourself now

shoppoing online using a macbook and mobile phone
(Image credit: Shutterstock)

A new credit-card-stealing group of cybercriminals has made millions of dollars by targeting more than 570 online retail websites, some of them rather well known, over a period of three years.

According to security firm Gemini, the "Keeper" Magecart group has made around $7 million by flogging the details of perhaps 700,00 stolen credit cards on the dark web and has been active in 55 countries since April 2017.

With the rapid growth of the e-commerce industry, Magecart attacks, also known as digital skimming attacks, are becoming more common. 

These attacks happen when cybercrooks inject malicious code into the source code of retail websites to record their customer’s credit card details as the card information is entered.

The Magecart name derives from one of the first groups to use this method to steal credit cards from websites en masse. That group targeted websites running the open-source Magento e-commerce framework, which has about 250,000 users globally, but it has since become a generic term.

Gemini security researchers said the Keeper group “consists of an interconnected network of 64 attacker domains and 73 exfiltration domains”, all of which “use identical login panels and are linked to the same dedicated server”. 

They found that the server “hosts both the malicious payload and the exfiltrated data stolen from victim sites".

Which websites were hit by the Keeper gang?

The vast majority of sites breached by the hackers (85%) did use the Magneto e-commerce platform and were predominantly based in the US, the UK and the Netherlands. There were also many sites based in Australia and France.

A full list of the compromised websites is on the Gemini website. Few of them belong to internationally known companies, but the list does include the well-known British brand The Body Shop, the Canadian site of the American apparel brand Columbia Sportswear, the British sportswear retailer Umbro, the official website of the American country singer Alan Jackson, the website of the official AP Stylebook used by most U.S, journalists, and a memorably named British equestrian-fashion site called Horses with Attitude.

What can I do to prevent my credit card being stolen?

To protect yourself from having your credit card compromised while shopping online, you might want to look into a service that provides one-time card numbers for individual purchases. 

It also helps to have one of the best antivirus programs running on your PC or Mac, as the AV software will often know when a site is compromised and will warn you before you connect to it. 

In general, you should also check your credit-card statements at least once a month, and report anything unusual to your card issuer immediately. At least in the U.S., it's rare for credit-card holders to be left with the bill when someone else uses the card fraudulently.

Active on the dark web

Gemini claims that the perpetrators kept the details of 184,000 breached credit cards and that the time stamps were dated between July 2018 and April 2019.

"Based on the provided number of collected cards during a nine-month window, and accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards," the report said.

By selling these compromised cards on the dark web, the crooks have likely made huge sums of money over the past few years. 

Gemini said:  “Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards.” 

The actual figure may be very different, however, because stolen-credit-card information is often sold at bulk discounts.

Since breaching its first e-commerce store in 2017, the Keeper group has “continually improved its technical sophistication and the scale of its operations”, Gemini said.

“Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world,” the report added.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!