Magecart Group Hits Small Businesses With Updated SkimmerResearchers Determine That 19 Ecommerce Sites Have Been Targeted
A Magecart group has been using a new skimmer technique to steal payment card data from the ecommerce sites of small and midsized businesses, according to research published by security firm RiskIQ.
See Also: Third-Party Risk to the Nth Degree
"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time," the researchers note.
Since January, the RiskIQ researchers have spotted these new payment card skimmers on 19 ecommerce sites' checkout pages. While Magecart groups generally have targeted larger e-commerce sites, the victims of these latest attacks are mainly smaller businesses (see: New Skimmer Attack Steals Data From Over 100 E-Commerce Sites).
It's not clear if any of the information stolen from these sites is being offered for sale on dark net marketplaces, says Jordan Herman, a threat researcher at RiskIQ, which is notifying the companies affected.
Magecart Attacks Increase
These Magecart groups have been blamed for skimming attacks against companies that include British Airways, Ticketmaster and Newegg (see: Magecart Group Continues Targeting E-Commerce Sites).
In February, RiskIQ noticed an uptick in these groups' activity, which might be attributed to a burst in online shopping due to the COVID-19 pandemic that has keep people in their homes under quarantine orders.
"We've seen an increase in our detections of Magecart of about 20 percent when we compare March to February, so it appears that Magecart actors are taking advantage of the current situation," Herman tells Information Security Media Group.
How MakeFrame Works
Since January, the RiskIQ researchers have collected several versions of the MakeFrame skimmer, ranging from code that is still in development to fully functioning versions that use encryption and obfuscation techniques to hide their presence.
Once this malicious code is injected into an ecommerce site's checkout function, it is "nestled in amongst benign code to blend in and avoid detection," according to the report. The skimmers uses an array of hex-encoded strings to help hide themselves; they also uses "code beautifiers," which make it nearly impossible to de-obfuscate.
The skimmers create the iframes to steal payment card data as well as other information, according to the report. They create a fake checkout page that mimics the real one and includes fields for victims to input their card numbers and other data.
The malicious code can also create a "submit" button. Once victims enter their payment card information and hit submit, the data is collected by the skimmers and stored for later.
Once the stolen data is harvested, it's stored on the targeted e-commerce site before being transferred to another domain that is also infected with a Magecart Group 7 skimmer, Herman says.
"The most novel part of Group 7's activities is their use of compromised websites for data exfiltration," Herman says. "Generally, skimming campaigns use their own domains to exfiltrate the stolen card data. I don't believe we have seen any other groups who have copied this technique from Group 7."
The report notes that many of these same skimming techniques were used target the company OXO in 2017 and 2018, which could mean the same Magecart group is involved.
And while the techniques in all these attacks are similar, it's not clear if they are all tied to Magecart Group 7. "The use of iframes and creating payment forms is similar, though the similarities between the skimmers appear to end there. We've seen a few distinct skimmers using that technique in recent months," Herman says.