Cyber Attacks

Magecart hackers inject iFrame skimmers in 19 sites


A new Magecart skimmer campaign is ongoing in which 19 different e-commerce websites have been successfully compromised and payment card details of the customers are stolen.

The campaign was discovered by the cybersecurity researchers at RiskIQ and according to a report published by them, a new digital skimmer, called “MakeFrame,” injects HTML iframes into web-pages to phish payment data.

MakeFrame attacks have been credited to Magecart Group 7 for their technique of using compromised sites to host the skimming code, load the skimmer on other compromised websites, and siphoned off the stolen data.

In a magecart attacks, the attackers usually compromise an online store by placing malicious JavaScript skimmers on payment forms in order to get the credit card and account details of users who makes purchases on the infected site.

The Magecart hackers have recently attacked many high-profile websites in the past few years, including NutriBullet, Olympics ticket reselling websites, Macy’s, Ticketmaster, British Airways, consumer electronics giant Newegg and much more.

According to the researchers, just 22 lines of JavaScript code infection was only necessary for the attackers to attain real-time access to the sensitive data.

The new MakeFrame Skimmer code, a mix of hex-encoded array of strings and obfuscated code, is included between benign code to prevent detection.

But the code is possible to be obfuscated due to a check (_0x5cc230[‘removeCookie’]) that ensures it is not altered. When this check passes, the skimmer code is reconstructed by decoding the obfuscated strings.

When the skimmer is inserted on the victim site, MakeFrame can also imitate the payment method, use iframes to create a payment form, detect the data entered into the fake payment form upon pressing of the “submit” button, and exfiltrate the card information in the form ‘.php’ files to another compromised domain (piscinasecologicas dot com). This is same method used by Magecart Group 7.

All the compromised sites used for data exfiltration was injected with a skimmer and has been used to host skimming code loaded on other victim sites as well.

All the affected websites were of small or medium-sized businesses and there are three distinct versions of this skimmer with different levels of obfuscation.

Magecart is a swiftly growing cybercrime syndicate comprising of dozens of subgroups that are experts in cyberattacks involving payment card theft.

The companies are recommended to keep their software up-to-date, enable multi-factor authentication, segregate critical network infrastructure, and be vigilant of phishing attacks.

During the COVID-19 pandemic, with more people making online purchases there has been a rise of 20 percent in the Magecart attacks.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Zoom app bug lets hackers steal your Windows password

    Previous article

    Key Ring cloud misconfiguration exposes details of 14M users

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *