The “Keeper” Magecart group has targeted more than 570 victim e-commerce sites in 55 different countries from April 1, 2017 until the present, according to new analysis from Gemini Advisory.
Gemini estimates Keeper, which consists of an interconnected network of 64 attacker domains and 73 exfiltration domains, has likely made millions of dollars from selling compromised payment cards. Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019.
“This group has likely generated upwards of $7 million USD
from selling compromised payment cards”
“Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards,” the firm said in a summary of the findings.
Gemini’s research also reveals over 85 percent of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide. The United States hosts the largest number of victim e-commerce sites, followed by the United Kingdom and the Netherlands.
Gemini researchers also note that the Keeper Magecart group has been active for three years and has been continued improvements on its technical sophistication and the scale of its operations. Based on the pattern of successful Magecart attacks, Gemini predicts that Keeper is likely to continue launching increasingly sophisticated attacks against online merchants across the world.