Stolen credit card items physically shipped by network of threat actors

In October of last year, the RiskIQ Threat Research team released a report profiling the e-commerce threat they discovered and dubbed ‘Magecart,’ which injects JavaScript code into e-commerce sites running outdated and unpatched versions of shopping cart software from Magento, Powerfront, and OpenCart. By logging consumer keystrokes, these attackers capture large quantities of payment card information.

Now, by following a new strain of Magecart, the team has discovered a direct link to the outcome of the stolen credit cards for threat actors, offering rare insight into the physical world operations of actors tied to digital threats.

>See also: The smart credit card designed for preventing fraud

The report highlights how threat actors targeting e-commerce sites cash out by reshipping items purchased with stolen cards via a physical reshipping company, operating with mules in the U.S.

In light of the recent Krebs on Security blog post, which ties Magecart infrastructure listed in our original report to a credit card dumps website known as “Trump’s Dumps,” it’s clear that these actors have a diversified portfolio of rackets for monetising their plunder.

“Magecart activity is still going strong, affecting new sites and continuing to register new domains to host the injected web skimmer scripts,” said Yonathan Klijnsma, threat researcher at RiskIQ. “New insight into the sophisticated way these actors are monetising their activities in the physical world shows the broadness of their scope of operations.”

By pivoting on a domain related to known Magecart activity in RiskIQ PassiveTotal, the team found that the server behind its IP address, currently used for the injects of the Magecart script, also links to a reshipping company website falsely advertised as a freight/logistics provider.

>See also: UK hit by £618m losses from card fraud – the highest in Europe

Via false employment ads on Russian job websites for U.S.-based job seekers, mules are recruited under the pretence of “transport agents,” tasked with receiving shipments of electronics and other goods bought with stolen credit cards to ship to an address in Eastern Europe.

This technique is similar to more traditional schemes involving money mules, but rather than a direct transfer of funds, the actors behind Magecart transfer funds into higher-priced goods, which can be shipped across borders without suspicion then sold for a hefty profit.

The report takes a deep dive into:

● The evolution of payment card theft.

● Magecart infrastructure: what it looks like, how to detect it, and how it’s evolving.

● Why e-commerce sites and consumers are at risk.

>See also: Identity fraud hits all time high – young people growing target

● The Magecart operators’ offline rackets and why they work.

● Guidance for e-commerce site owners and why having a dynamic view of their digital footprint is key to defending themselves.


“This new report shows how Magecart is an effective and lucrative operation for these actors,” Klijnsma said. “It may well indicate a burgeoning trend of keylogging threats affecting e-commerce sites.”


The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics