Pierluigi Paganini April 03, 2020

RiskIQ researchers spotted a new ongoing Magecart campaign that already compromised at least 19 different e-commerce websites.

Researchers from security firm RiskIQ have uncovered a new ongoing Magecart campaign that already compromised at least 19 different e-commerce websites to steal customers’ payment card data.

The experts discovered a new software skimmer, dubbed “MakeFrame,” that injects HTML iframes into web-pages to capture payment data.

RiskIQ tracks different Magecart groups, based on the was the e-skimmer is used by threat actors the experts attribute this campaign to the Magecart Group 7.

“On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data.” reads the report published by RiskIQ.

“Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation. So far, RiskIQ has observed MakeFrame on 19 different victim sites.”

The version of the skimmer detected by the experts is the classic Magecart blob of hex-encoded terms and obfuscated code, it is included inside legitimate code in the attempt of avoid detection.

The skimmer implements a couple more layers of sophistication, such as checking the use of code beautifiers for making condensed or obfuscated code more readable for threat analysts.

The code is impossible to be deobfuscated due to a check (_0x5cc230[‘removeCookie‘]) that prevents any alteration. The skimmer code is only reconstructed if the check passes.

The analysis of the MakeFrame e-skimmer revealed also the capability of emulating the payment method using iframes to create a payment form and capture the payment details provided by the victims.

Experts found the skimmer code on all the 19 compromised e-store they analyzed, the stolen data are sent back to the same server or to another domain hacked by the group (i.e. piscinasecologicas[.]com) in the form of a .php file. This exfiltration method was observed in past attacks associated with the Magecart Group 7.

“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration. Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well.” continues the report.

“Looking back on our prior breakdown of Group 7’s skimming code from our report Inside Magecart, the method of encoding stolen data as one long string of base64 is strikingly similar between older Group 7 skimmers and these newer samples. “

The evidence collected by RiskIQ demonstrates that the Magecart groups continue to improve their techniques and the e-skimmers they employ in the campaigns. RiskIQ reported that Magecart attacks have grown 20% amid the COVID-19 outbreak.

“With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever.” concluded RiskIQ.

“As we saw in the attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website.”

Pierluigi Paganini

(SecurityAffairs – Magecart, e-skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]