The “Keeper” Magecart Group targeted at least six South African ecommerce websites as part of a battery of cyberattacks conducted between 1 April 2017 and 7 July 2020, a report from Gemini Advisory has stated.
Globally, 570 online shops in 55 different countries were targeted with the aim of infecting their websites with malicious software to steal personal data. In some instances, this included payment card information.
Gemini said that as part of its investigation, it discovered that the “Keeper” Magecart group consists of an interconnected network of 64 attacker domains and 73 exfiltration domains.
“The Keeper exfiltration and attacker domains use identical login panels and are linked to the same dedicated server; this server hosts both the malicious payload and the exfiltrated data stolen from victim sites,” Gemini stated.
While over 85% of the victim sites operated on the Magento CMS, the attackers also targeted sites running WordPress (5.5%), Shopify (4.2%), BigCommerce (2.0%), and PrestaShop (0.5%).
Out of the 55 countries represented in Gemini’s investigation, South Africa had the 16th highest number of compromised domains. The countries which saw the most infections were the United States, United Kingdom, and the Netherlands, France, and India.
“Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019,” the advisory said.
“Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present card, this group has likely generated upwards of $7 million from selling compromised payment cards.”
Gemini said that the Keeper Magecart group has been active for three years and has continually improved its technical sophistication and the scale of its operations.
“Based on this pattern of successful Magecart attacks, Gemini assesses with high confidence that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.”
South African websites compromised
The following table summarises the six South African websites included in Gemini’s report.
|Company||Domain||Est. date of infection||Feedback|
|ARB Electrical Wholesalers||arb.co.za||2 December 2019||Declined to comment.|
|Baby City||www.babycity.co.za||11 October 2017||No feedback.|
|Getting A Deal||gettingadeal.co.za||9 March 2018||Caught attack immediately. No customers affected. No data was exfiltrated.|
|Hirsch’s||hirschs.co.za||19 April 2018||Breach identified and contained before site could be compromised.|
|PC Express||pcexpress.co.za||26 February 2020||Didn’t pick up anything in logs.|
|Printulu||printulu.co.za||24 August 2019||Don’t store payment details. Affected customers were notified.|
MyBroadband contacted each of the six companies listed above by phone and by e-mail prior to publication.
ARB declined to comment and Baby City did not provide comment by the time of publication. Hypertext noted that the Baby City breach may predate the launch of the site’s ecommerce functionality. It is not clear whether the Baby City website remained infected after its ecommerce services were launched.
Hirsch’s published the following statement on Twitter:
“Yes, we are aware of this incident in 2018. The breach was identified and contained by our specialist developers before the Hirsch’s site could be compromised. All payment information is held strictly with our payment partners and not with Hirsch’s ensuring customer safety.”
A spokesperson for Getting A Deal told MyBroadband they were lucky enough to detect the attack while it was in progress and deal with it immediately. No customers were affected, and the attackers didn’t get any data from the site, the company said.
“We run dual servers,” Getting A Deal explained. “When we detected the attack, we immediately shut everything down, restored a backup to the second server, secured it, and got a full audit from a company in Cape Town.”
Getting A Deal explained that it also does not hold any credit card information – that is all handled by PayPass and other payment processors.
Since the attack, Getting A Deal has launched a new website on a completely new platform, which it said has made things even more secure.
“In this day and age companies are going to get hacked every day. It’s how they deal with it that’s the important thing,” Getting A Deal said.
PC Express told MyBroadband that it checked its server logs, but could find no evidence of a breach. It is continuing to investigate Gemini’s report.
Printulu founder and CEO Alexander Knieps told MyBroadband that malicious code was injected into their website via a third-party plugin in August 2019.
“We can confirm that no payment information was directly stolen from our database. We do not store any payment details as we use an external provider to process our payments. The clients that were identified to be affected were contacted directly and all clients that could have been affected were contacted via email,” Knieps stated.
“Our technical team removed the code within hours of the incident being reported to them. Afterwards, our technical team put in the necessary safeguards to avoid the malicious code to be injected again. The data of our clients is of utmost importance for us and this is why we spend significant resources on rectifying the issue and putting the necessary measures in place.”