The winter holidays are around the corner, and so is new skimming malware. Cybercriminals recently released campaigns distributing the Grelos malware, a common Magecart variant.
Analyzed by RiskIQ researchers, this strain comprises a rehash of the original code first spotted in 2015. Grelos consists of a loader and a skimmer that uses base64 obfuscation that hides a two-stage skimmer.
The Grelos Skimmer in Detail
In fact, the Grelos skimmer has been around since 2015, with its original version associated with Magecart Groups 1 and 2, the report points out. It is noteworthy that some threat actors continue to use some of the original domains deployed to load the skimmer. But how did the research team come across this latest variant?
The team came across a unique cookie that connected them to a recent variant of the skimmer. Apparently, the skimmer has a newer version that utilized a fake payment form to steal payment data. Unfortunately, dozens of sites have been compromised already.
“In many recent Magecart compromises, we’ve seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups that use various techniques and code structures.,” RiskIQ says.
Thе overlapping infrastructure also includes a hosting provider utilized by some skimming domains. These domains load multiple, unrelated skimmers, such as the Inter skimmer and various versions of Grelos. RiskIQ “even saw domains loading the Inter skimmer and the Grelos skimmer from the same IP address.” The pattern possibly means that several skimming groups utilize the same infrastructure to host the skimming domains and buy hosting services from the same third-party provider.
Online shoppers should be extra-careful with skimming malware
Security researchers are warning of an increase in skimming attacks as the holiday shopping season is near. This year online gift shopping can be even more dangerous with the current Covid-19 pandemic and people being locked at home.
“The best defense against Magecart is keeping on top of their tactics and knowing the code your website runs, including third-party code. Immediately patching vulnerable systems can prevent harm to your customers and, as we’ve seen, a hefty fine,” RiskIQ concludes.
Many Magecart-inspired hacking groups in the wild
In July 2020, Keeper Magecart hackers successfully broke into online store backends to change their source code and insert malicious scripts. The scripts stole payment card details taken from checkout forms. More than 570 online stores have been hacked in the past three years.
The Keeper hacking group has been performing web skimming, e-skimming, and attacks similar to Magecart. Gemini researchers who analyzed the attacks named the group Keeper Magecart. The Keeper name derives from the repeated usage of a single domain called fileskeeper[.]org, used to inject malicious card-stealing JavaScript into victim websites’ HTML code and receive harvested card data.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: