A new Magecart skimmer has surfaced online that compromised a least 19 different websites in a recent campaign. While the skimmer was new, it served the same old purpose – stealing payment card data from websites.
New Magecart Skimmer Campaign
Researchers from RiskIQ have discovered a new Magecart skimmer that took over numerous websites in a recent campaign. Dubbed MakeFrame, this skimmer compromised 19 different websites to steal customers’ card data.
Elaborating on their findings in a post, researchers stated that the new skimmer seemingly belonged to the Magecart Group 7. A deeper analysis of the skimmer revealed that it exhibited sophisticated obfuscation techniques to avoid detection. As stated,
This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code. It is nestled in amongst benign code to blend in and avoid detection.
The researchers could detect numerous versions of this skimmer. Some of these sported high-level obfuscation, whereas, some had clear codes. Analyzing all of these let the researchers related all the skimmers o different websites.
Besides, the attackers behind this skimmer did not only aim at stealing data. Rather they also intended to achieve more targets from the victim sites.
In some cases, we’ve seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data.
Detailed technical analysis of the skimmers is available in the researcher’s post.
Rise In Magecart Attacks Amidst COVID-19
The researchers shared that they observed a 20% rise in Magecart attacks in the present days. Though, Magecart skimming attacks are nothing new. In the present-day scenario when people are obliged to shop online, such attacks pose a greater level of threat risking more users.
Magecart attacks have grown 20% amid the COVID-19 pandemic. With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever.
Certainly, we have witnessed in the past how the attackers never miss exploiting global disasters to gain benefits. For instance, the skimming attack on an Australia bushfire donation site a couple of months ago.
Let us know your thoughts in the comments.