The Trackers Who Steal

How WhoTracks.Me caught the trail of the MageCart hackers

We're all aware of the trackers siphoning off information about you as you browse the web. These trackers are mostly doing this for some business intelligence related reason - websites use these services to try to 'better understand' their customers, or to target them in order to attract their attention in a way which will benefit that website owner - be-it increasing the value of products customers put into their shopping cart, or increasing the likelihood that they click an ad.

However, there is another kind of tracker which is more nefarious than these. These are hidden scripts placed by hackers on E-commerce sites which try to steal your credit-card details as you enter them. In the last year a string of attacks — dubbed 'Magecart' — have affected major sites, including British Airways, Ticketmaster, NewEgg and VisionDirect; stealing payment information from millions of consumers.

At WhoTracks.Me we are monitoring the third-parties loaded on millions of pages per day, therefore once we know the domains that these hackers are using to send their stolen data, we can analyse the extent and impact of these operations. In this article we provide a post-analysis of the four big breaches this year, plus some insights our data gives in on-going attacks.

Four high-profile breaches

British Airways

In September 2018, British Airways announced that a security breach had led to a large theft of customer data. RiskIQ's write up of the breach explains how the attackers compromised a script on the payment page, such that it would send credit card information to a domain owned by the hackers: baways.com.

With this information we can query our data to look for page loads where baways.com was a third-party. This allows us to verify the extent of the breach, and how many users were affected. Our data shows that:

This data corroborates the statement by BA on the breach, that users entering card details "between 22:58 BST August 21 2018 until 21:45 BST September 5 2018" would have been affected.

Ticketmaster

In June 2018, Ticketmaster declared a hack of customer information. Again, RiskIQ's analysis tells us how it happened - this time involving a breach of the third-party supplier Inbenta. Compromised Inbenta scripts were then loaded on ticketmaster payment pages, and these scripts then skimmed credit card data input by customers and sent it to webfotce.me.

Unlike the British Airways case, this was not a targeted attack on Ticketmaster, rather a generic hacking program which affected many other sites. We can access the extent of these hacks by looking for the webfotce.me domain in our data:

In their disclosure, Ticketmaster say that UK customers were affected between February and June 23rd, and international customers could have been affected from September 2017. Again this matches up with our data, though we have no observations for international sites before December 2017.

Our data also shows several other sites affected by this attack:

Site Affected from Affected to Pages
otel.com 10/12/2017 21/06/2018 125
www.cheaperthandirt.com 19/01/2018 03/06/2018 42
www.printninja.com 16/02/2018 20/11/2018 45
www.vitacost.com 26/02/2018 04/06/2018 35
thehungryjpeg.com 12/03/2018 12/06/2018 19
www.klook.com 14/03/2018 12/06/2018 28
www.steinmart.com 15/03/2018 09/07/2018 12
www.marveloptics.com 28/03/2018 22/09/2018 15

Table 1: Sites affected by webfotce.me attack.

Compared to Ticketmaster, the impact of the breach on these sites is much smaller. Correlations between the dates of infection indicate that these sites were probably infected via a shared third-party (i.e. Inbenta) which was compromised. This shows how hackers can quickly achieve much greater scale by going for third-party services whose scripts will be loaded on many different sites.

NewEgg

Like British Airways, NewEgg were hit by a targetted attack. In this case the collection server was specific for the target. The hackers registered neweggstats.com in order to have a legitimate looking domain so that they could avoid suspicion for as long as possible.

Looking at our data, we see that pages on secure.newegg.com were sending requests to neweggstats.com for just over a month, between 15th August and 18th September, with 90 pages affected in our dataset1.

VisionDirect

On the November 19th, VisionDirect, a large UK-based glasses retailer, announced that their sites had been compromised between the November 3rd and 8th. In this case, a script was injected into the page from g-analytics.com which pretending to be a Google Analytics script. The difference is, that it will also send credit-card numbers back when it sees them in the page.

Our analysis shows that VisionDirect's European sites (.fr, .it, .es, .co.uk, .eu and .nl) were all affected from the November 3rd. On the .nl and .ie sites we still observed pages contacting the attacker's server on the 9th of November, suggesting that the malicious code may not have been completely removed as early as the press release suggests.

Compared to the other collection servers, g-analytics.com is currently much more active with 36 sites infected during November. We have, however, observed a shift in traffic since November 20th, with almost all sites which were previously infected with g-analytics.com switching to loading a script from google-analytics.is instead. This indicates that the attacks have ongoing access to these sites, allowing them to update their attack code.

Collection Server Sites Infected
g-analytics.com 36
googletagmanager.eu 29
magento.name 19
google-analytics.is 15
trafficanalyzer.biz 5
web-stats.cc 5
bandagesplus.com 5
nearart.com 4

Table 2: Collection servers still active in November 2018

A full list of sites affected during November is available at the end of this post.

Breach detection

While WhoTracks.Me was originally conceived as a transparency tool to show trackers directly or indirectly placed by site owners, this investigation as opened up another angle on this data. We can now effectively track the spread of malicious code being used to defraud web consumers. This capability can be taken to multiple different directions:

  1. Once the collection servers (or drop servers) are known, we can quickly find and notify websites that are compromised. This can reduce the exposure time of websites, and thus reduce the risk to the average web user. (Thanks to the work RiskIQ have done here to collate a list of active drop servers).
  2. We can audit breaches that have occurred, and make sure websites properly notify their users. The GDPR requires that companies notify users and authorities when user data is compromised. This data can be used to hold companies accountable if they try to dodge these responsibilities.
  3. Given the set of collection servers we already know, we can develop algorithms to automatically detect third-parties in pages which are similar. This would then allow us to detect and block these servers even earlier.

We are very exited to start exploring this direction for our data2.

Third-party scripts: A security liability

In all of these hacking cases, the entry point has been a malicious script which is loaded in the main document of the page. When this happens on a payment page, the attacker can read all of the information entered: credit card number, CVV, etc. Therefore, any script loaded on a payment page is potentially a critical security weakness.

With this in mind, we should be critical of the current careless way that scripts of scattered onto what should be secure webpages. In the case of the four big breaches we have outlined here, now standard browser security features could have prevented or limited the amount of data stolen:

As well as these high-profile cases, many of the other sites affected by these attacks are smaller E-Commerce sites using off-the-shelf software to run their business. It is therefore difficult for these sites to deploy these more advanced protection methods - even more so because the loading of 20 or 30 different untrusted third-parties on a webpage has become normalised, so users or even developers would not be able to detect unexpected third-parties appearing on a page.

Related to this is another tactic employed by these hacking groups: registering domains very similar to common third-party trackers so that developers do not notice that the site is compromised. Some examples:

Protecting users

As we can assume that sites will continue to get hacked, we require a way we can protect users from having their data stolen without relying on site owners. This is where the browser comes in - as the user-agent it should be able to protect the user from attacks like this, much like it already does with phishing and malware sites.

Luckily, as all of these attacks rely on collection servers to receive the stolen data, once we know of a server address we can use blocklists to prevent the browser from contacting these servers. Therefore, even when sites are compromised with malicious Javascript, this code will not be able to contact the hacker's server. For Cliqz and Ghostery users we have already distributed a block-list to block these domains and protect them from credit-card theft.

For Cliqz and Ghostery users we have already distributed a block-list to block these domains and protect them from credit-card theft.

Blocking is just a reactive measure though. Domains are cheap, and sites are getting hacked all the time, so these hackers could easily turn over their domains faster to mitigate our blocking. Therefore, a more robust solution has to incorporate fast detection of these drop servers in order to minimise the effective lifetime of each attack. We hope to incorporate the WhoTracks.Me data in the hunt for these domains, and to emulate the speed that we are already able to detect phishing sites.

Conclusion

In this post we've shown a new angle on the data we publish on WhoTracks.Me. As well as providing transparency on which companies are tracking you online, we are also able to turn this transparency on web criminals who are stealing from web users. This transparency can be used to:

Appendix: List of Magecart affected sites during November 2018

Collection Server Site Infected from infected to Number of pages
google-analytics.is www.groworganic.com 2018-11-22 2018-11-28 64
googletagmanager.eu www.wdrshop.de 2018-11-03 2018-11-28 74
google-analytics.is www.directmaterial.com 2018-11-28 2018-11-28 1
google-analytics.is www.harriscomm.com 2018-11-23 2018-11-28 9
google-analytics.is www.prospin.com.br 2018-11-24 2018-11-28 5
google-analytics.is www.electroactiva.com 2018-11-28 2018-11-28 1
magento.name www.gamesquest.co.uk 2018-11-13 2018-11-28 21
google-analytics.is www.drakegeneralstore.ca 2018-11-23 2018-11-28 23
google-analytics.is shop.tokidoki.it 2018-11-26 2018-11-28 3
magento.name store.curiousinventor.com 2018-11-01 2018-11-28 13
webfotce.me www.printninja.com 2018-11-05 2018-11-28 7
vuserjs.com www.medelita.com 2018-11-01 2018-11-27 63
googletagmanager.eu www.aneros.com 2018-11-01 2018-11-27 49
magento.name www.arrazofashion.com.br 2018-11-27 2018-11-27 1
fastproxycdn.com lessthan10pounds.com 2018-11-09 2018-11-27 19
magento.name chebdveri.ru 2018-11-02 2018-11-27 2
googletagmanager.eu www.onegreekstore.com 2018-11-02 2018-11-27 8
vmaxjs.com www.artistsnetwork.com 2018-11-01 2018-11-27 105
googletagmanager.eu slf24.pl 2018-11-08 2018-11-26 26
google-analytics.is www.pvcfittingsonline.com 2018-11-22 2018-11-26 42
googletagmanager.eu www.bestkiteboarding.com 2018-11-09 2018-11-26 24
qsxjs.com vapenw.com 2018-11-02 2018-11-26 86
magento.name www.compremake.com.br 2018-11-20 2018-11-26 3
valdatecode.com www.carnivalbkk.com 2018-11-03 2018-11-26 52
googletagmanager.eu www.mobileparadise.de 2018-11-21 2018-11-26 4
googletagmanager.eu www.cht-cottbus.de 2018-11-03 2018-11-26 79
privatejs.com www.bydubai.com 2018-11-01 2018-11-26 55
google-analytics.is www.scojo.com 2018-11-24 2018-11-26 10
googletagmanager.eu www.nordhandel.de 2018-11-01 2018-11-25 106
alfcdn.com www.softstarshoes.com 2018-11-25 2018-11-25 2
magento.name www.prestigioplaza.com 2018-11-25 2018-11-25 3
googletagmanager.eu www.wslstore.com 2018-11-18 2018-11-25 2
magento.name www.herve-leger-shop.com 2018-11-25 2018-11-25 1
googletagmanager.eu amsducati.com 2018-11-05 2018-11-25 6
google-analytics.is www.ozarksource.com 2018-11-24 2018-11-24 1
g-analytics.com geissele.com 2018-11-10 2018-11-24 85
crtteo.com www.accessorygeeks.com 2018-11-01 2018-11-23 31
google-analytics.is drdennisgross.com 2018-11-22 2018-11-23 4
googletagmanager.eu www.everbestshoes.com 2018-11-23 2018-11-23 1
googletagmanager.eu unitedsalonsupplies.com 2018-11-23 2018-11-23 2
trafficanalyzer.biz www.oaknyc.com 2018-11-19 2018-11-23 2
googletagmanager.eu dampoteket.no 2018-11-07 2018-11-23 10
magento.name www.ikonmotorsports.com 2018-11-05 2018-11-23 8
google-analytics.is www.dreamduffel.com 2018-11-23 2018-11-23 4
nearart.com www.westcottbrand.com 2018-11-04 2018-11-23 13
magento.name oramaoptics.gr 2018-11-21 2018-11-23 3
google-analytics.is www.cruyffclassics.com 2018-11-23 2018-11-23 3
magento.name www.weldingsuppliesdirect.co.uk 2018-11-05 2018-11-22 9
googletagmanager.eu hk.ap-nutrition.com 2018-11-13 2018-11-22 3
nearart.com www.camillusknives.com 2018-11-03 2018-11-22 27
google-analytics.is www.softballfans.com 2018-11-22 2018-11-22 3
magento.name www.ammerer.com 2018-11-02 2018-11-22 4
g-analytics.com www.candent.ca 2018-11-22 2018-11-22 1
googletagmanager.eu www.autosiliconehoses.com 2018-11-03 2018-11-21 29
google-analytics.is temptu.com 2018-11-21 2018-11-21 4
googletagmanager.eu www.lampen-line.de 2018-11-04 2018-11-21 16
googletagmanager.eu www.airagestore.com 2018-11-05 2018-11-21 6
g-analytics.com drdennisgross.com 2018-11-11 2018-11-20 8
g-analytics.com pvcpipesupplies.com 2018-11-12 2018-11-20 5
g-analytics.com www.cruyffclassics.com 2018-11-08 2018-11-20 13
g-analytics.com www.pvcfittingsonline.com 2018-11-08 2018-11-20 77
g-analytics.com www.ahmadtea.com 2018-11-09 2018-11-20 10
g-analytics.com www.groworganic.com 2018-11-04 2018-11-20 87
web-stats.cc www.kingfishertapes.co.uk 2018-11-20 2018-11-20 3
g-analytics.com www.fabglassandmirror.com 2018-11-10 2018-11-20 9
statsdot.eu www.punkstuff.com 2018-11-20 2018-11-20 14
onefromeu.com www.joyfolie.com 2018-11-03 2018-11-20 16
listrakb.com www.skistart.com 2018-11-02 2018-11-19 4
g-analytics.com www.energymuse.com 2018-11-06 2018-11-19 72
googletagmanager.eu www.casinhabonita.com.br 2018-11-06 2018-11-19 20
g-analytics.com www.frightprops.com 2018-11-15 2018-11-19 3
statsdot.eu storeinfinity.com 2018-11-07 2018-11-19 10
g-analytics.com www.especialneeds.com 2018-11-12 2018-11-19 21
g-analytics.com www.stmgoods.com.au 2018-11-09 2018-11-18 7
onefromeu.com www.poshshop.com 2018-11-13 2018-11-18 39
googletagmanager.eu deanzelinsky.com 2018-11-07 2018-11-18 11
googletagmanager.eu nativetreasuresnm.com 2018-11-10 2018-11-18 8
g-analytics.com vapage.com 2018-11-13 2018-11-18 23
magento.name www.hydraulicsonline.co.uk 2018-11-02 2018-11-18 2
nearart.com mitchellssalon.com 2018-11-18 2018-11-18 1
g-analytics.com altheatsupply.com 2018-11-14 2018-11-18 5
scriptsfyou.com adamspolishes.com 2018-11-01 2018-11-17 55
googletagmanager.eu www.recifeingressos.com 2018-11-16 2018-11-17 3
g-analytics.com www.stmgoods.com 2018-11-10 2018-11-16 12
g-analytics.com temptu.com 2018-11-06 2018-11-16 7
g-analytics.com www.drakegeneralstore.ca 2018-11-16 2018-11-16 1
g-analytics.com shop.tokidoki.it 2018-11-15 2018-11-15 3
g-analytics.com medmartonline.com 2018-11-13 2018-11-15 4
g-analytics.com intl.drdennisgross.com 2018-11-15 2018-11-15 2
googletagmanager.eu ikiegeszitok.hu 2018-11-08 2018-11-15 11
g-analytics.com www.weareverincontinence.com 2018-11-12 2018-11-14 3
cdnscriptx.com www.cartouchesarabais.com 2018-11-11 2018-11-14 14
g-analytics.com cig2o.com 2018-11-14 2018-11-14 1
fastproxycdn.com tilebar.com 2018-11-03 2018-11-14 120
g-analytics.com www.curediva.com 2018-11-07 2018-11-13 6
typeklt.com www.mariatash.com 2018-11-02 2018-11-13 49
g-analytics.com www.lucerooliveoil.com 2018-11-13 2018-11-13 5
g-analytics.com www.plumbingsupplynow.com 2018-11-13 2018-11-13 1
magento.name www.grafipronto.pt 2018-11-12 2018-11-12 1
checkercarts.com www.shambhala.com 2018-11-01 2018-11-12 19
scriptsenvoir.com www.heatpressnation.com 2018-11-01 2018-11-12 48
typeklt.com www.cabletiesunlimited.com 2018-11-09 2018-11-12 6
web-stats.cc www.costway.de 2018-11-07 2018-11-10 2
g-analytics.com www.visiondirect.ie 2018-11-05 2018-11-09 4
web-stats.cc www.rincondidactico.cl 2018-11-09 2018-11-09 1
g-analytics.com www.visiondirect.nl 2018-11-04 2018-11-09 41
magento.name patbo.com.br 2018-11-05 2018-11-09 3
googletagmanager.eu professional.imageskincare.nl 2018-11-09 2018-11-09 2
googletagmanager.eu consument.imageskincare.nl 2018-11-09 2018-11-09 2
magento.name eaccesoriigsm.ro 2018-11-08 2018-11-08 1
jspoi.com www.padini.com 2018-11-04 2018-11-08 3
g-analytics.com www.visiondirect.co.uk 2018-11-03 2018-11-08 112
googletagmanager.eu www.oddbins.com 2018-11-01 2018-11-08 9
g-analytics.com www.visiondirect.fr 2018-11-03 2018-11-07 53
magento.name upmarketpets.com 2018-11-07 2018-11-07 1
g-analytics.com www.visiondirect.it 2018-11-04 2018-11-07 2
g-analytics.com www.visiondirect.es 2018-11-05 2018-11-07 26
upgradenstore.com www.armysurplusworld.com 2018-11-06 2018-11-06 1
g-analytics.com www.ozarksource.com 2018-11-06 2018-11-06 1
upgradenstore.com www.princesspolly.com 2018-11-01 2018-11-06 3
locatefyou.com www.jjroofingsupplies.co.uk 2018-11-01 2018-11-06 10
g-analytics.com www.prospin.com.br 2018-11-06 2018-11-06 1
web-stats.cc www.baleyo.com 2018-11-06 2018-11-06 1
maxijs.com copperlab.com 2018-11-05 2018-11-05 9
gamacdn.com csvape.com 2018-11-03 2018-11-05 2
valdatecode.com www.pfiwestern.com 2018-11-01 2018-11-05 15
googletagmanager.eu erecycleronline.com 2018-11-05 2018-11-05 1
magento.name nicoman.co.uk 2018-11-01 2018-11-05 2
minifyscripts.com shop.bombingscience.com 2018-11-03 2018-11-04 4
web-stats.cc shelfadditions.com 2018-11-04 2018-11-04 2
jspoi.com store.asqgrp.com 2018-11-01 2018-11-04 3
trafficanalyzer.biz www.irishnewsarchive.com 2018-11-03 2018-11-03 1
magento.name www.cochesdemetal.es 2018-11-01 2018-11-03 2
magento.name originalnye-zapchasti.com 2018-11-02 2018-11-02 1
googletagmanager.eu www.exeltek.com.au 2018-11-02 2018-11-02 2
g-analytics.com www.hyperparapharmacie.com 2018-11-02 2018-11-02 1
amasty.biz www.decantshop.com 2018-11-01 2018-11-01 1
jspoi.com massivejoes.com 2018-11-01 2018-11-01 4
cdnrfv.com www.versare.com 2018-11-01 2018-11-01 18
magento.name www.yourdezire.co.uk 2018-11-01 2018-11-01 2
allacarts.com www.plumprettysugar.com 2018-11-01 2018-11-01 6

  1. By "Pages Affected" we mean the number of page loads where we saw some third-party call to a server associated with MageCart operations. 

  2. Reach out to privacy@cliqz.com if you have suggestions, or would simply like to get in touch.