Nearly 600 Online Shops Have Been Successfully Attacked by the Same Group of Hackers

Keeper Mahecart Group

After a lengthy investigation, researchers from Gemini Advisory uncovered that a single group of cybercriminals is responsible for the successful attacks against no fewer than 570 ecommerce websites based in 55 countries across the globe. The crew is called Keeper, and its attacks consist of compromising the target and injecting malicious code that exfiltrates credit card details and other personal information during the checkout process.

It's a classic Magecart operation, and it's proving to be rather successful. According to Gemini's calculations, between April 2017 and the present day, the Keeper gang has compromised around 700 thousand credit cards, which have a dark web market value of around $7 million. Let's see how the experts managed to draw all these conclusions.

A login panel revealed Keeper's entire infrastructure

Gemini's researchers discovered the Keeper gang when they followed the exfiltration URL used during a Magecart attack. They were greeted by a login form that they had seen before. An identical login panel had been used in other Magecart attacks, and the researchers knew that this could be significant. A further investigation revealed that all these login panels pointed to the same dedicated server, which confirmed that all the attacks had been carried out by the same group of hackers. The name "Keeper" comes from the fact that the domain "fileskeeper[.]org" has been a major part of the group's infrastructure.

Keeper – a formidable Magecart group

Having identified all previous targets, Gemini's researchers set about looking into the specifics of Keeper's modus operandi. The group predominantly targets small, less popular online shops, though the list of victims does contain a few websites that have over 500 thousand monthly visitors. About 85% of the attacked websites have been built with Magento, which shouldn't really be a surprise. Magento is one of the most popular platforms for creating ecommerce websites, and, as the FBI warned recently, many of the shops running on it are riddled with easily exploitable vulnerabilities.

Having taken a close look at some of Keeper's attacks, Gemini's experts saw quite a few obfuscation techniques, which suggested that the hackers know what they're doing. The researchers did manage to find a mistake, though. An access log had been left unprotected, and after taking a look inside it, the experts found the details of 184 thousand credit cards compromised between July 2018 and April 2019. This is how they came up with the estimation of Keeper's total profits.

By hitting smaller websites, Keeper's hackers are not drawing too much attention to themselves, and at the same time, it's obvious that they're making a hefty profit on the operation. You have to agree that they have little reason to quit now.

July 8, 2020

Leave a Reply