A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.
Various versions of the skimmer were observed since January, featuring different levels of obfuscation, and 19 different victim sites were identified to date. In some cases, the compromised websites were abused to host the skimming code, load the code on compromised websites, and exfiltrate stolen data.
The skimmer, which RiskIQ dubbed MakeFrame, features hex-encoded strings and several layers of obfuscation, as well as an anti-analysis technique employing a check for beautifiers (which make code more readable for threat analysts). The code doesn’t execute properly if it has been beautified.
“This check means that a researcher has to deal with the blob of code if they want to deobfuscate it. For analysts experienced with deobfuscation, it just costs more time; for ones who are not, it could prevent them from figuring out what the code is doing,” RiskIQ explains.
Analysis of the malicious code revealed objects that directly refer to the creation of iframes for skimming payment data. The iframes are created so that the victim would enter payment data into them. A specific function is called to format the fake payment form, while another creates the “submit” button.
Thus, if the victim fills out the form and then presses the “submit” button, the card data is skimmed.
RiskIQ’s security researchers discovered three distinct versions of the skimmer, including in-development versions running debug processes, and one even including a version number.
The skimmer was observed hosted on all of the 19 infected domains identified to date, with the stolen data sent to the same server or another compromised domain.
“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration. Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers explain.
Similarities in technique and code construction led RiskIQ to the conclusion that Magecart Group 7 is behind the new skimmer.
The researchers were also able to link the skimmer to two IPs that are running Debian, Apache, and OpenSSH and which are owned by Online SAS, a French cloud computing and web hosting company.
Magecart attacks went up by 20% amid the current COVID-19 pandemic, likely fueled by an increase in online shopping as people are working from home.
“This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach,” RiskIQ notes.
Related: Hunting for Magecart With URLscan.io