Gemini Advisory specialists presented report about the activities of the hacker group Keeper, which has been active since at least 2017. This group trades with web-skimming or attacks like MageCart (named after the first group of hackers who used this tactic). That is, attackers hack online stores and inject malicious scripts into their code that steal payment card data entered by customers when placing an order.
Researchers from Gemini Advisory were able to figure out the group’s activity, as hackers used the same control panels for their internal servers, where they collected stolen card data. The fingerprinting of the backend panels helped specialists trace the entire history of Keeper and find the location of old backend panels, URLs of the infrastructure, as well as make a list of hacked online stores.
It is reported that approximately 85% of all the stores hacked by the group worked on the Magento platform, and most of them belonged to the medium and small business segment. According to Amazon and Alexa ratings, the vast majority of affected sites were quite small, but there were several big names among the Keeper victims, that is, sites that attracted from 500,000 to 1,000,000 visitors per month:
Studying the infrastructure of the hack group, Gemini Advisory analysts found that hackers were not able to properly protect one of their backend panels, where they collected information about the stolen cards. The logs received by the experts contained data on approximately 184,000 cards stolen from July 2018 to April 2019.
Given that in just nine months, attackers were able to steal data on 184,000 payment cards, experts calculated that for the entire period of activity, starting in 2017, the group compromised approximately 700,000 cards.
“Given that the current median price of one CNP card in the darknet is $ 10, over the course of its existence, this group has probably earned more than $ 7,000,000 by stealing and selling information about payment cards,” the researchers suggest.
Full list of all compromised Keeper sites can be found in the company report.