1. XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit

    In 2020 and 2021, Volexity identified multiple compromises related to a relatively unknown criminal threat actor that refers to itself as “XE Group”. Volexity believes that XE Group is likely a Vietnamese-origin criminal threat actor whose intrusions follow an approximate pattern: Compromise of externally facing services via known exploits (e.g., Telerik UI vulnerabilities) Monetization of these compromises through installation of password theft or credit card skimming code for web services related to these servers There has been previously reported XE Group activity in a blog by Malwarebytes from 2020; this post serves to provide additional  insight into XE Group and an update on its current operations. Analysis Volexity first encountered XE Group activity in early 2020 following a web server compromise at a customer site. The breach of the web server was automated, and it was remediated quickly after discovery, with no notable actions taken by the attacker. That one […]

  2. Magecart Strikes Again: Newegg in the Crosshairs

    Volexity has conducted the following research in collaboration with RiskIQ. We will discuss the same incident from different perspectives. RiskIQ’s report of this activity can be seen here. In another brazen attack against a major online retailer, the actors behind Magecart have struck the eCommerce operations of the popular computer hardware and electronics retailer Newegg. With this latest attack, joins the ranks of high-profile eCommerce websites that have fallen victim to the financial theft group. Based on findings recently published by RiskIQ, Magecart was identified as being responsible for a recently publicized breach claiming upwards of 380,000 victims that had used the British Airways website or mobile application. As it turns out, a nearly identical data theft campaign was being carried out against Newegg at the same time. In fact, it appears the Newegg compromise may have started nearly a week earlier. Volexity was able to verify the presence of […]

  3. JS Sniffer: E-commerce Data Theft Made Easy

    In late 2017, Volexity began tracking a new e-commerce financial data theft framework named JS Sniffer. The framework gives attackers a quick and efficient way to steal data from compromised e-commerce websites. JS Sniffer is optimized to steal data from compromised websites running the Magento e-commerce platform. However, Volexity has observed the framework on e-commerce websites leveraging OpenCart,, Shopify, WordPress, and others as well. Volexity initially identified the framework following a highly targeted attack campaign against a website that facilitates online ticket sales for numerous events and venues. One of the websites affected by this breach was an online retailer selling tickets for New Year’s Eve events in a large metropolitan area. The website’s checkout page was modified to house malicious code designed to steal information entered, such as name, address, credit card data, and even login credentials. This was done through the use of embedded JavaScript, collecting user […]