{
	"id": "7f255b12-e197-479e-9da4-62bfb917d992",
	"created_at": "2026-04-06T00:06:54.141392Z",
	"updated_at": "2026-04-10T03:38:09.729882Z",
	"deleted_at": null,
	"sha1_hash": "9f039ced134e4e38ccc0120475707a6f7b745f26",
	"title": "MageCart Group Sabotages Rival to Ruin Data and Reputation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2359417,
	"plain_text": "MageCart Group Sabotages Rival to Ruin Data and Reputation\r\nBy Ionut Ilascu\r\nPublished: 2018-11-21 · Archived: 2026-04-05 16:23:05 UTC\r\nCybercriminals in the web-skimming business are sabotaging their competition by poisoning the payment data they\r\nexfiltrate from online stores. This cause the losing party to end up with a big fat nothing and a ruined reputation on\r\nunderground forums.\r\nThe groups colliding on the real victim's server are from the MageCart line of cybercriminals, identified by the Yonathan\r\nKliknsma of RiskIQ in order of their appearance, as group 3 and group 9. Obviously, one of them is better at this game and\r\nthat is the latter.\r\nIndependent security researcher Willem de Groot and Jérôme Segura of Malwarebytes published two reports about the web-skimming code from Magecart group 9 wrecking their competition's operation.\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe 'playground' was the website of Umbro Brazil and the B.Liv online cosmetics shop.\r\nHunting for rival's exfiltration domains\r\nAccording to the researchers, the code used by group 9 is heavily obfuscated and it can detect the presence of other web-skimmers on the server. If a competing skimmer is detected, it intercepts the card data captured by the competition and\r\nchanges the last card number so that the data becomes worthless.\r\nTo trigger the data-poisoning mechanism, the code checks for domain names used by the competitor to exfiltrate the\r\npayment details. If detected, it generates a random number from 0-9 and replaces the last card number with it.\r\nDetecting competitor's exfiltration domain and changing card number (credit: Malwarebytes)\r\nSegura says that the slight modification of the card number may be sufficient to pass validation, but the payment information\r\nis useless.\r\nSelling non-working card data on the black market is a serious hit to the seller's reputation, de Groot explains.\r\n\"Why the subtle sabotage, instead of just killing the inferior skimmer? On the dark web markets, reputation is everything,\"\r\nstated de Groot in a blog post about the competing skimmers. \"If one sells non-working cards, angry customers will publicly\r\ncomplain and it will destroy the competing “brand”.\"\r\nSabotaging competition is a strategy seen in the past in cryptomining operations. GhostMiner, the first fileless\r\ncryptocurrency miner scans and stops other processes that may be mining on the host, a behavior later adopted by CroniX.\r\nMagecart operations typically take advantage of third-party scripts that are loaded at checkout. To protect themselves,\r\nwebsite owners should remove payment information pages any components that are not required to process the transaction\r\nor customer data. Risk of compromise is further reduced by keeping plugins updated to the latest version.\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/\r\nhttps://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/"
	],
	"report_names": [
		"magecart-group-sabotages-rival-to-ruin-data-and-reputation"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb",
			"created_at": "2023-01-06T13:46:38.228042Z",
			"updated_at": "2026-04-10T02:00:02.883048Z",
			"deleted_at": null,
			"main_name": "APT1",
			"aliases": [
				"PLA Unit 61398",
				"Comment Crew",
				"Byzantine Candor",
				"Comment Group",
				"GIF89a",
				"Group 3",
				"TG-8223",
				"Brown Fox",
				"ShadyRAT",
				"G0006",
				"COMMENT PANDA"
			],
			"source_name": "MISPGALAXY:APT1",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b",
			"created_at": "2022-10-25T16:07:23.480196Z",
			"updated_at": "2026-04-10T02:00:04.626125Z",
			"deleted_at": null,
			"main_name": "Comment Crew",
			"aliases": [
				"APT 1",
				"BrownFox",
				"Byzantine Candor",
				"Byzantine Hades",
				"Comment Crew",
				"Comment Panda",
				"G0006",
				"GIF89a",
				"Group 3",
				"Operation Oceansalt",
				"Operation Seasalt",
				"Operation Siesta",
				"Shanghai Group",
				"TG-8223"
			],
			"source_name": "ETDA:Comment Crew",
			"tools": [
				"Auriga",
				"Cachedump",
				"Chymine",
				"CookieBag",
				"Darkmoon",
				"GDOCUPLOAD",
				"GLOOXMAIL",
				"GREENCAT",
				"Gen:Trojan.Heur.PT",
				"GetMail",
				"Hackfase",
				"Hacksfase",
				"Helauto",
				"Kurton",
				"LETSGO",
				"LIGHTBOLT",
				"LIGHTDART",
				"LOLBAS",
				"LOLBins",
				"LONGRUN",
				"Living off the Land",
				"Lslsass",
				"MAPIget",
				"ManItsMe",
				"Mimikatz",
				"MiniASP",
				"Oceansalt",
				"Pass-The-Hash Toolkit",
				"Poison Ivy",
				"ProcDump",
				"Riodrv",
				"SPIVY",
				"Seasalt",
				"ShadyRAT",
				"StarsyPound",
				"TROJAN.COOKIES",
				"TROJAN.FOXY",
				"TabMsgSQL",
				"Tarsip",
				"Trojan.GTALK",
				"WebC2",
				"WebC2-AdSpace",
				"WebC2-Ausov",
				"WebC2-Bolid",
				"WebC2-Cson",
				"WebC2-DIV",
				"WebC2-GreenCat",
				"WebC2-Head",
				"WebC2-Kt3",
				"WebC2-Qbp",
				"WebC2-Rave",
				"WebC2-Table",
				"WebC2-UGX",
				"WebC2-Yahoo",
				"Wordpress Bruteforcer",
				"bangat",
				"gsecdump",
				"pivy",
				"poisonivy",
				"pwdump",
				"zxdosml"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775792289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9f039ced134e4e38ccc0120475707a6f7b745f26.pdf",
		"text": "https://archive.orkl.eu/9f039ced134e4e38ccc0120475707a6f7b745f26.txt",
		"img": "https://archive.orkl.eu/9f039ced134e4e38ccc0120475707a6f7b745f26.jpg"
	}
}