Researchers from security firm RiskIQ have uncovered a new ongoing Magecart campaign that already compromised at least 19 different e-commerce websites to steal customers’ payment card data.
The experts discovered a new software skimmer, dubbed “MakeFrame,” that injects HTML iframes into web-pages to capture payment data.
“On January 24th, we first became aware of a new Magecart skimmer, which we dubbed
“Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to
The version of the skimmer detected by the experts is the classic Magecart blob of hex-encoded terms and obfuscated code, it is included inside legitimate code in the attempt of avoid detection.
The skimmer implements a couple more layers of sophistication, such as checking the use of code beautifiers for making condensed or obfuscated code more readable for threat analysts.
The code is impossible to be
The analysis of the MakeFrame e-skimmer revealed also the capability of emulating the payment method using iframes to create a payment form and capture the payment details provided by the victims.
Experts found the skimmer code on all the 19 compromised e-
“This method of
“Looking back on our prior breakdown of Group 7’s skimming code from our report Inside Magecart, the method of encoding stolen data as one long string of base64 is strikingly similar between older Group 7 skimmers and these newer samples. “
The evidence collected by RiskIQ demonstrates that the Magecart groups continue to improve their techniques and the e-skimmers they employ in the campaigns. RiskIQ reported that Magecart attacks have grown 20% amid the COVID-19 outbreak.
“With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever.” concluded RiskIQ.
“As we saw in the attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website.”
|[adrotate banner=”9″]||[adrotate banner=”12″]|