Cybersecurity researchers from threat intelligence firm RiskIQ uncovered a new Magecart campaign dubbed as “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data. According to RiskIQ’s report, the researchers discovered a software skimmer “MakeFrame,” which injects HTML iframes into the targeted websites to obtain payment information.
Explaining their discovery, the researchers said, “On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code. Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation.”
What is Magecart Attack?
How MakeFrame Skimmer Works?
The researchers stated that they’ve observed different versions of the Makeframe skimmer that exhibit various levels of obfuscation to avoid detection. It’s said that attackers used MakeFrame on compromised sites for hosting the skimming code, loading the skimmer on other compromised websites, and exfiltrating the stolen data.
Once the skimmer is added on the target site, MakeFrame emulates the payment method, uses iframes to create a fake payment form, and detects the data entered into the form. Upon submitting the payment, it exfiltrates the card information in the form of “.php files” to another compromised domain.
“This method of exfiltration is the same as that used by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration.”Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” RiskIQ said in the report.
Magecart Hackers Arrest