Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Hackers Continue Improving Skimmers

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

Various versions of the skimmer were observed since January, featuring different levels of obfuscation, and 19 different victim sites were identified to date. In some cases, the compromised websites were abused to host the skimming code, load the code on compromised websites, and exfiltrate stolen data.

The skimmer, which RiskIQ dubbed MakeFrame, features hex-encoded strings and several layers of obfuscation, as well as an anti-analysis technique employing a check for beautifiers (which make code more readable for threat analysts). The code doesn’t execute properly if it has been beautified.

“This check means that a researcher has to deal with the blob of code if they want to deobfuscate it. For analysts experienced with deobfuscation, it just costs more time; for ones who are not, it could prevent them from figuring out what the code is doing,” RiskIQ explains.

Analysis of the malicious code revealed objects that directly refer to the creation of iframes for skimming payment data. The iframes are created so that the victim would enter payment data into them. A specific function is called to format the fake payment form, while another creates the “submit” button.

Thus, if the victim fills out the form and then presses the “submit” button, the card data is skimmed.

RiskIQ’s security researchers discovered three distinct versions of the skimmer, including in-development versions running debug processes, and one even including a version number.

The skimmer was observed hosted on all of the 19 infected domains identified to date, with the stolen data sent to the same server or another compromised domain.

“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration. Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers explain.

Similarities in technique and code construction led RiskIQ to the conclusion that Magecart Group 7 is behind the new skimmer.

The researchers were also able to link the skimmer to two IPs that are running Debian, Apache, and OpenSSH and which are owned by Online SAS, a French cloud computing and web hosting company.

Magecart attacks went up by 20% amid the current COVID-19 pandemic, likely fueled by an increase in online shopping as people are working from home.

“This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach,” RiskIQ notes.

Related: Three Magecart Hackers Arrested in Indonesia

Related: Hunting for Magecart With

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.