A group of hackers called ‘Keeper’ has, in the last three years, compromised at least 570 ecommerce sites in 55 countries, including India. The group has leaked information from more than 184,000 compromised cards and generated revenue upwards of USD 7 Mn from selling compromised payment cards, a report by threat advisory firm Gemini revealed.
In India, the group stole information from Mumbai-based online jewellery store ejohri.com, which was allegedly compromised in February this year.
The Gemini report mentions that more than 85% of the sites hacked by the group were being operated on the Magento CMS, which has more than 250,000 users worldwide and is known to be the top target for Keeper attacks. “The country hosting the largest selection of these victim e-commerce sites was the US, followed by the UK and the Netherlands,” the report said.
Some of the prominent websites hacked by the group include online bicycle merchant milkywayshop.it, Pakistan-based clothing store alkaramstudio.com, Indonesia-based Apple product reseller ibox.co.id and US-based premier wine and spirits seller cwspirits.com, among others.
The Gemini report warned that Keeper, which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains, has rapidly improved its technical sophistication and the scale of its operations in the last three years. The report said that the recent spate of successful attacks by Keeper is enough to predict that the group isn’t going to let up anytime soon, and will continue “launching increasingly sophisticated attacks against online merchants across the world.”
Gemini uncovered information about Keeper’s attacks by accessing an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019. “Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of USD 10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of USD 7 Mn from selling compromised payment cards.”
This year, small to medium-sized ecommerce retailers have become a daily target for Keeper attacks. The report mentions that ecommerce merchants working with outdated content management systems (CMS) leave themselves extremely vulnerable to such attacks by hackers. For Keeper, the process could involve injecting malicious code through an illegal domain, “to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images.”
Among the victim sites, while 85% used Magento CMS, the remaining used WordPress, PrestaShop, Shopify and BigCommerce for hosting their websites