There’s a new skimmer in town, and it is currently targeting small- and medium-sized businesses.
The skimmer comes from the infamous Magecart Group, and so far, payment card data from 19 different websites has been harvested.
Magecart’s new skimmer: MakeFrame
According to RiskIQ researchers, the skimmer uses iframes to harvest data, and thus it has been dubbed MakeFrame.
The MakeFrame skimmer was first detected at the end of January. Since then, several versions have been caught in the wild, presenting various levels of obfuscation.
In some cases, the researchers say they have seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data. “There are several elements of the MakeFrame skimmer that are familiar to us, but it’s this technique in particular that reminds us of Magecart Group 7,” RiskIQ says.
The Magecart hacking group has been widely known for using victim sites for skimmer development.
“In all of these cases, the skimmer is hosted on the victim domain,” RiskIQ’s analysis shows. “The stolen data is posted back to the same server or sent to another compromised domain.”
Another similarity that MakeFrame shares with skimmers developed by the Magecart group is the method of exfiltration of harvested data. The skimmer is sending the stolen data in the form of .PHP files, to other compromised sites deployed for exfiltration.
According to the researchers, “each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well.”
The Magecart group has been operating since 2016. The hackers are known for consistently changing tactics to target e-commerce platforms to harvest payment card data.
It should be noted that there are various Magecart groups. Even though skimmers are their primary weapon of choice, they deploy other malicious tactics such as brute-force attacks, spoofing third-party payment sites, and performing attacks against Wi-Fi routers via malicious code to harvest customer data.
According to RiskIQ statistics, Magecart attacks have grown 20 percent amid the coronavirus pandemic. “With many home-bound people forced to purchase what they need online, the digital-skimming threat to e-commerce is as pronounced as ever,” the researchers say.
Magecart Group 12 detected in January 2019
In January 2019, RiskIQ came across a new subgroup known as Magecart Group 12 which is infecting targeted websites by inserting skimming code into a third-party JavaScript library. This technique loads the malicious code into all websites that utilize the library.
The group managed to compromise targeted websites through Adverline at the end of 2018.
It should be noted that Magecart Group 12’s skimming code is slightly different, with “an interesting twist” – it protects itself from deobfuscation and analysis by performing an integrity check on itself.
We will keep our eye on the ever-evolving tactics of the MageCart hackers.