The prolific Magecart group is using new skimmer code to steal payment card numbers from the websites of small- and medium-sized businesses, RiskIQ researchers found.
The new skimmer, dubbed MakeFrame by RiskIQ, uses iframes on websites to harvest payment data details from websites' shopping cart pages, wrote RiskIQ researchers Jordan Herman and Mia Ihm. The code has been used to harvest payment card data from 19 different websites over the past few months. RiskIQ first observed the card-harvesting code on Jan. 24.
“This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code,” Herman and Ihm wrote. “It is nestled in amongst benign code to blend in and avoid detection.”
There are multiple versions of MakeFrame currently in use, ranging from programs obviously still in development to production-quality code with encrypted obfuscation.
Magecart Group 5 appear to also be developing tactics to target routers used by public WiFi operators. Magecart Group 12 was behind the attack on advertising provider Adverline. Magecart Group 8 has its own methods, and is believed to have been behind the recent attack on the NutriBullet website.
Magecart Group 7 is the most likely group using the MakeFrame skimmer, RiskIQ said. The researchers drew this conclusion based on the fact that Group 7 has historically targeted SMBs. Group 7 also typically includes existing functionality on the victims' websites in its skimming operations. That includes hosting the attack code directly on the victim's domain. Group 7 used similar tactics against kichen tools and houseware company OXO previously.
“In some cases, we've seen MakeFrame using compromised sites for all three of its functions — hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data,” wrote Herman and Ihm.
The harvested data stays on the victim's server until the attackers are ready to exfiltrate the information. Magecart Group 7 is known to hide stolen data as .php files and then transfer those files to other compromised sites. The researchers were able to identify that one of the servers used for exfiltrating the data belonged to Online SAS, a French cloud computing and web hosting company.
“Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers added.
Magecart is constantly innovating and switching its attack methods. "These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them," the researchers wrote.
MakeFrame is just another example of the group's “continued evolution, honing tried-and-true techniques and developing new ones all the time,” the researchers wrote.
Magecart groups tend to be highly active, but the pace of their attacks have increased significantly over the past few weeks, RiskIQ said. Magecart payment skimming attacks have increased by 20 percent ever since many retailers closed their physical stores and moved operations online over the past month. “With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever,” Herman and Ihm wrote.