Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Magecart Group Hits Small Businesses With Updated Skimmer

Researchers Determine That 19 E-Commerce Sites Have Been Targeted
Magecart Group Hits Small Businesses With Updated Skimmer

A Magecart group has been using a new skimmer technique to steal payment card data from the e-commerce sites of small and midsized businesses, according to research published by security firm RiskIQ.

See Also: Check Kiting In The Digital Age

These new attacks, which started around Jan. 24, apparently are the work of group called Magecart Group 7, according to the new report. The researchers call the technique that this group is using "MakeFrame" because it incorporates iFrames to help skim the card data from the online checkout functions of websites and obfuscate the malicious JavaScript code .

"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time," the researchers note.

Since January, the RiskIQ researchers have spotted these new payment card skimmers on 19 e-commerce sites' checkout pages. While Magecart groups generally have targeted larger e-commerce sites, the victims of these latest attacks are mainly smaller businesses (see: New Skimmer Attack Steals Data From Over 100 E-Commerce Sites).

It's not clear if any of the information stolen from these sites is being offered for sale on dark net marketplaces, says Jordan Herman, a threat researcher at RiskIQ, which is notifying the companies affected.

Magecart Attacks Increase

Magecart is an umbrella name for a group of cybercriminal gangs that have been planting JavaScript skimmers, also known as JavaScript sniffers or JS sniffers, on dozens of sites over the last several years.

These Magecart groups have been blamed for skimming attacks against companies that include British Airways, Ticketmaster and Newegg (see: Magecart Group Continues Targeting E-Commerce Sites).

In February, RiskIQ noticed an uptick in these groups' activity, which might be attributed to a burst in online shopping due to the COVID-19 pandemic that has keep people in their homes under quarantine orders.

"We’ve seen an increase in our detections of Magecart of about 20 percent when we compare March to February, so it appears that Magecart actors are taking advantage of the current situation," Herman tells Information Security Media Group.

How MakeFrame Works

Since January, the RiskIQ researchers have collected several versions of the MakeFrame skimmer, ranging from code that is still in development to fully functioning versions that use encryption and obfuscation techniques to hide their presence.

Once this malicious code is injected into an e-commerce site’s checkout function, it is "nestled in amongst benign code to blend in and avoid detection," according to the report. The skimmers uses an array of hex-encoded strings to help hide themselves; they also uses "code beautifiers," which make it nearly impossible to de-obfuscate.

The skimmers create the iFrames to steal payment card data as well as other information, according to the report. They create a fake checkout page that mimics the real one and includes fields for victims to input their card numbers and other data.

The malicious code can also create a "submit" button. Once victims enter their payment card information and hit submit, the data is collected by the skimmers and stored for later.

Once the stolen data is harvested, it's stored on the targeted e-commerce site before being transferred to another domain that is also infected with a Magecart Group 7 skimmer, Herman says.

"The most novel part of Group 7's activities is their use of compromised websites for data exfiltration," Herman says. "Generally, skimming campaigns use their own domains to exfiltrate the stolen card data. I don’t believe we have seen any other groups who have copied this technique from Group 7."

The report notes that many of these same skimming techniques were used target the company OXO in 2017 and 2018, which could mean the same Magecart group is involved.

In March, researchers at the security firm Malwarebytes found that the e-commerce site for Tupperware was infected with a JavaScript skimmer that used iFames to help create fake checkout pages and hide its code within legitimate sites (see: Tupperware Website Hit by Card Skimmer).

And while the techniques in all these attacks are similar, it's not clear if they are all tied to Magecart Group 7. "The use of iFrames and creating payment forms is similar, though the similarities between the skimmers appear to end there. We've seen a few distinct skimmers using that technique in recent months," Herman says.

About the Author

Ishita Chigilli Palli

Ishita Chigilli Palli

Senior Correspondent, Global News Desk

As senior correspondent for Information Security Media Group's global news desk, Ishita covers news worldwide. She previously worked at Thomson Reuters, where she specialized in reporting breaking news stories on a variety of topics.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.