‘Keeper’ hacking group behind hacks at 570 online stores

A hacking group known as “Keeper” is responsible for security breaches at more than 570 online e-commerce portals over the last three years.

The Keeper gang broke into online store backends, altered their source code, and inserted malicious scripts that logged payment card details entered by shoppers in checkout forms.

These types of attacks are what the cyber-security community calls web skimming, e-skimming, or “Magecart” intrusions (named so after the first hacker group that used these tactics).

Keeper gang has been active since April 2017

In a report published today by threat intelligence firm Gemini Advisory, the company says that Keeper has been operating since at least April 2017, and continues to operate even today.

Gemini said it tracked the group’s activities because the Keeper gang used the same identical control panels for the backend servers where they collected payment card details from hacked stores.

By fingerprinting this backend panel, Gemini was able to track all of Keeper’s historical activities. This included the locations of past backend panels, malicious URLs used to host hacking infrastructure, but also a list of hacked online stores where Keeper inserted its malicious scripts.

Gemini said that almost 85% of the 570 hacked stores ran on top of the Magento e-commerce platform. Most of the stores were small to medium-sized operations.

Based on Amazon’s Alexa traffic rankings, Gemini says the vast majority of stores were small-scale operations but that Keeper also hit some big names — sites that drew between 500,000 and 1,000,000 monthly visitors. A list of the highest-ranked sites hacked by the Keeper gang is available below:

One Keeper backend leaked user card data

In addition, the Gemini Advisory team said that while investigating the Keeper gang’s infrastructure they also found that the gang failed to properly secure one of their backend panels where hackers sent payment card details collected from online stores.

Keeper says it was able to retrieve logs from the leaky backend containing around 184,000 payment card details that the Keeper gang collected between July 2018 and April 2019.

“Based on the provided number of collected cards during a nine-month window, and accounting for the group’s operations since April 2017, Gemini estimates that it has likely collected close to 700,000 compromised cards,” Gemini experts said in a report shared today with ZDNet.

“Given the current dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million USD from stealing and selling compromised payment cards in its full lifespan.”

The Gemini Advisory report contains the full list of all the 570+ sites that the Keeper gang hacked since April 2017.

Recorded Future, one of the largest threat intelligence companies on the cyber-security market, also announced today that it acquired a minority stake in Gemini Advisory.