Magecart Hackers Continue Improving Skimmers

A Magecart threat actor tracked as “Group 7” has been using a skimmer that creates iframes to steal payment card data, RiskIQ reveals.


Various versions of the skimmer were observed since January, featuring different levels of obfuscation, and 19 different victim sites were identified to date. In some cases, the compromised websites were abused to host the skimming code, load the code on compromised websites, and exfiltrate stolen data.


The skimmer, which RiskIQ dubbed MakeFrame, features hex-encoded strings and several layers of obfuscation, as well as an anti-analysis technique employing a check for beautifiers (which make code more readable for threat analysts). The code doesn’t execute properly if it has been beautified.


“This check means that a researcher has to deal with the blob of code if they want to deobfuscate it. For analysts experienced with deobfuscation, it just costs more time; for ones who are not, it could prevent them from figuring out what the code is doing,” RiskIQ explains.


Analysis of the malicious code revealed objects that directly refer to the creation of iframes for skimming payment data. The iframes are created so that the victim would enter payment data into them. A specific function is called to format the fake payment form, while another creates the “submit” button.


Thus, if the victim fills out the form and then presses the “submit” button, the card data is skimmed.


RiskIQ’s security researchers discovered three distinct versions of the skimmer, including in-development versions running debug processes, and one even including a version number.


The s ..

Support the originator by clicking the read the rest link below.