Cybercrime as-a-service , Fraud Management & Cybercrime , Malware as-a-Service

Grelos Skimmer Variant Co-Opts Magecart Infrastructure

Researchers: Skimmer Compromised Website of Boom! Mobile In October
Grelos Skimmer Variant Co-Opts Magecart Infrastructure
Samples of the recent variant of the Grelos skimmer (Source: RiskIQ)

Researchers have identified a fresh variant of the Grelos skimmer that has co-opted the infrastructure that MageCart uses for its own skimming attacks against e-commerce sites, security firm RiskIQ says.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Although Grelos has been active since 2015, the researchers note in the report that the new variant was discovered after it compromised Boom! Mobile's website in October.

Researchers uncovered the variant using skimming components previously associated with Magecart - an umbrella name for a group of cybercriminal gangs that have been planting JavaScript skimmers, also known as JavaScript sniffers or JS sniffers, on dozens of retail and e-commerce sites over the past several years, RiskIQ notes (see: Police Bust 3 Suspected Magecart Hackers in Indonesia).

The latest version of Grelos is considerably more complex than other variants of the skimmer previously uncovered, says Jordan Herman a threat researcher at RiskIQ. The difference this time is that the skimmer might not be as effective.

"So, while the new Grelos skimmer has more impressive functionality and obfuscation than previous iterations, I think it is probably less effective than the original because there is more awareness and tracking [of skimmers] these days," Herman says.

So far, the skimmer has been found on several small and mid-size e-commerce sites in the U.S., Canada, France, Chile and the United Arab Emirates, Herman says.

Some of the Magecart tools used by the operators of Grelos include WebSockets for skimming, loader components as well as domains that are linked to Magecart for hosting the malware, the report notes.

"We believe this skimmer is not directly related to [Magecart] Group 1/2's activity from 2015-16, but instead a rehash of some of their code," according to RiskIQ. "This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over."

Attack Infrastructure

RiskIQ says it discovered the new Grelos variant after the firm's analysts examined domains provided by independent security researchers AffableKraut and Denis Sinegubko, who were responding to an update from security firm Malwarebytes concerning attacks on Boom! Mobile’s website.

Grelos skimmer using WebSockets for data exfiltration (Source: RiskIQ)

After investigating the cookies that were connecting to the domains listed by the security researchers, RiskIQ found that some were connecting to four skimming domains used by the attackers.

"A unique cookie allowed us to connect a recent variant of this skimmer to an even newer version that uses a fake payment form to steal payment data from victims," the RiskIQ report notes. "Domains related to this cookie have compromised dozens of sites so far."

RiskIQ also notes the majority of the malicious domains linked to the skimmers were hosted on ASN 45102, a hosting provider that is currently popular with several different Magecart actors.

Further, the overlap between the skimmer infrastructure and the domain connections led RiskIQ researchers to conclude the new Grelos variant is among the latest skimmer variants that leverage Magecart.

RiskIQ, which has been tracking the activities of Magecart, notes the group actively adopts new skimmers to expand its attack arsenals. In April, a Magecart group deployed a skimmer called MakeFrame to help skim the card data from online retail site and to obfuscate the malicious JavaScript code, according to a previous RiskIQ report (see: Magecart Group Hits Small Businesses With Updated Skimmer).

Since January, RiskIQ notes it has collected several versions of the MakeFrame skimmer, ranging from code that is still in development to fully functioning versions that use encryption and obfuscation techniques to hide their presence.

Magecart Attacks Increase

Magecart groups have been blamed for skimming attacks against companies that include British Airways, Ticketmaster and Newegg (see: Magecart Group Continues Targeting E-Commerce Sites).

In June, Malwarebytes found MageCart was hiding malicious JavaScript inside an image's EXIF metadata and then sneaking the image onto e-commerce sites (see: Magecart Card Skimmer Hidden in Image's EXIF Metadata).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.