Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Magecart Hackers Continue Improving Skimmers

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

Various versions of the skimmer were observed since January, featuring different levels of obfuscation, and 19 different victim sites were identified to date. In some cases, the compromised websites were abused to host the skimming code, load the code on compromised websites, and exfiltrate stolen data.

The skimmer, which RiskIQ dubbed MakeFrame, features hex-encoded strings and several layers of obfuscation, as well as an anti-analysis technique employing a check for beautifiers (which make code more readable for threat analysts). The code doesn’t execute properly if it has been beautified.

“This check means that a researcher has to deal with the blob of code if they want to deobfuscate it. For analysts experienced with deobfuscation, it just costs more time; for ones who are not, it could prevent them from figuring out what the code is doing,” RiskIQ explains.

Analysis of the malicious code revealed objects that directly refer to the creation of iframes for skimming payment data. The iframes are created so that the victim would enter payment data into them. A specific function is called to format the fake payment form, while another creates the “submit” button.

Thus, if the victim fills out the form and then presses the “submit” button, the card data is skimmed.

RiskIQ’s security researchers discovered three distinct versions of the skimmer, including in-development versions running debug processes, and one even including a version number.

The skimmer was observed hosted on all of the 19 infected domains identified to date, with the stolen data sent to the same server or another compromised domain.

Advertisement. Scroll to continue reading.

“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration. Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers explain.

Similarities in technique and code construction led RiskIQ to the conclusion that Magecart Group 7 is behind the new skimmer.

The researchers were also able to link the skimmer to two IPs that are running Debian, Apache, and OpenSSH and which are owned by Online SAS, a French cloud computing and web hosting company.

Magecart attacks went up by 20% amid the current COVID-19 pandemic, likely fueled by an increase in online shopping as people are working from home.

“This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach,” RiskIQ notes.

Related: Three Magecart Hackers Arrested in Indonesia

Related: Hunting for Magecart With URLscan.io

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.