Cybersecurity researchers from threat intelligence firm RiskIQ uncovered a new Magecart campaign dubbed as “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data. According to RiskIQ’s report, the researchers discovered a software skimmer “MakeFrame,” which injects HTML iframes into the targeted websites to obtain payment information.
Explaining their discovery, the researchers said, “On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code. Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation.”
What is Magecart Attack?
Magecart attack, also known as web skimming or e-skimming, is a form of cybercrime where attackers plant malicious JavaScript code on online stores. In a Magecart attack, hackers gain access to a company’s online store website by compromising and hiding malicious code in it. The malicious code then collects the payment card information from users while making purchases on the infected site. It’s said that hackers either sell the stolen card data on the darknet or use it to make fraudulent purchases.
How MakeFrame Skimmer Works?
The researchers stated that they’ve observed different versions of the Makeframe skimmer that exhibit various levels of obfuscation to avoid detection. It’s said that attackers used MakeFrame on compromised sites for hosting the skimming code, loading the skimmer on other compromised websites, and exfiltrating the stolen data.
Once the skimmer is added on the target site, MakeFrame emulates the payment method, uses iframes to create a fake payment form, and detects the data entered into the form. Upon submitting the payment, it exfiltrates the card information in the form of “.php files” to another compromised domain.
“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration.”Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” RiskIQ said in the report.
Magecart Hackers Arrest
Recently, Indonesian Police and Interpol arrested three men who belong to Magecart hacking group for their involvement in Magecart attacks. The police officials stated that it’s the first arrest of Magecart gang members. The suspects, identified by initials ANF (27 years), K (35 years), and N (23 years), were accused of injecting JavaScript sniffers into websites to capture information entered by the site visitors. It’s said that the suspects allegedly used the stolen payment card data to purchase electronic and luxury goods.
