A new Magecart skimmer campaign is ongoing in which 19 different e-commerce websites have been successfully compromised and payment card details of the customers are stolen.
The campaign was discovered by the cybersecurity researchers at RiskIQ and according to a report published by them, a new digital skimmer, called “MakeFrame,” injects HTML iframes into web-pages to phish payment data.
MakeFrame attacks have been credited to Magecart Group 7 for their technique of using compromised sites to host the skimming code, load the skimmer on other compromised websites, and siphoned off the stolen data.
The Magecart hackers have recently attacked many high-profile websites in the past few years, including NutriBullet, Olympics ticket reselling websites, Macy’s, Ticketmaster, British Airways, consumer electronics giant Newegg and much more.
The new MakeFrame Skimmer code, a mix of hex-encoded array of strings and obfuscated code, is included between benign code to prevent detection.
But the code is possible to be obfuscated due to a check (_0x5cc230[‘removeCookie’]) that ensures it is not altered. When this check passes, the skimmer code is reconstructed by decoding the obfuscated strings.
When the skimmer is inserted on the victim site, MakeFrame can also imitate the payment method, use iframes to create a payment form, detect the data entered into the fake payment form upon pressing of the “submit” button, and exfiltrate the card information in the form ‘.php’ files to another compromised domain (piscinasecologicas dot com). This is same method used by Magecart Group 7.
All the compromised sites used for data exfiltration was injected with a skimmer and has been used to host skimming code loaded on other victim sites as well.
All the affected websites were of small or medium-sized businesses and there are three distinct versions of this skimmer with different levels of obfuscation.
Magecart is a swiftly growing cybercrime syndicate comprising of dozens of subgroups that are experts in cyberattacks involving payment card theft.
The companies are recommended to keep their software up-to-date, enable multi-factor authentication, segregate critical network infrastructure, and be vigilant of phishing attacks.
During the COVID-19 pandemic, with more people making online purchases there has been a rise of 20 percent in the Magecart attacks.