Magecart skimmers ran keyloggers on commerce provider's website for two-and-a-half years

Ecommerce platform compromised by eight different skimmers hosted accounts for a number of high-profile organisations

An ecommerce platform providing payment facilities to multiple high-profile organisations was compromised by a Magecart skimmer for two-and-a-half years.

That's according to Sanguine Security, which claims that the attacker ran keyloggers to intercept customer payment data, adding that the platform had been so open it had multiple threat actors fighting over the platform.

The platform in question supported the online stores of ESPN magazine and US military website Stars and Stripes.

"Based on the code style, the observed malware can be grouped into seven different families of keyloggers. At times, multiple different keyloggers were present concurrently, sending the intercepted customer data to multiple servers across the globe," claims Sanguine.

It added: "The different modus operandi and concurrent theft suggest that numerous hacking factions had access to the platform."

Sanguine operates web crawlers that examine the code underlying commerce sites for signs of compromise. It first registered an anomaly on the ESPN magazine web store in August 2017 - Javascript code pointing to webstatvisit.com, a URL implicated in multiple Magecart breaches at the time.

This skimmer was allowed to operate undisturbed for 18 months, but was replaced in July 2018 with a completely different skimmer, according to Sanguine, linked to a popular ‘sniffer' kit that can be bought online for $950.

A month later, it was replaced by a third skimmer, which was replaced less than two weeks later by a fourth.

In total, Sanguine counted eight different skimmers, pointing to multiple domains, with two skimmers operating at the same time at one point.

"We can tie skimmer 1 (webstatvisit.com) to onlineclouds.info, another known skimmer domain that played an important role in a skimming feud that we reported in 2018. In that feud, the onlineclouds operator sabotaged their less-advanced rival. At that time, the onlineclouds.info domain was used to steal data from brands such as Elisabetta Franchi, Everlast and Umbro," reports Sanguine.

The apparent ease with which ecommerce sites can be compromised and the lackadaisical response of ecommerce companies has made web skimming a lucrative crime. Tens of thousands worldwide have been affected, according to security group RiskIQ. Furthermore, Magecart gangs typically operate in countries like Russia, where the authorities will leave them alone as long they don't compromise organisations within their jurisdiction.

However, in January, police in Indonesia arrested three on suspicion of web skimming in an international operation dubbed Operation Night Fury.