[BreachExchange] New Magecart Skimmer Infects 19 Victim Websites

Destry Winant destry at riskbasedsecurity.com
Fri Apr 3 10:09:10 EDT 2020


MakeFrame, named for its ability to make iframes for skimming payment
data, is attributed to Magecart Group 7.

A new Magecart skimmer, dubbed MakeFrame, has been observed
compromising 19 victim websites. The skimmer was named for its ability
to make iframes for skimming payment data.

RiskIQ researchers became aware of the new skimmer on Jan. 24, 2020.
Since then, they have identified three versions of MakeFrame with
varying levels of obfuscation, ranging from clear JavaScript code to
encrypted obfuscation. In some cases, they observed MakeFrame using
compromised websites for all three of its functions: hosting the
skimming code, loading the skimmer onto compromised websites, and
exfiltrating the stolen payment information.

"There are several elements of the MakeFrame skimmer that are familiar
to us, but it's this technique in particular that reminds us of
Magecart Group 7," researchers write in a blog post.

Magecart Group 7 also used victim websites for skimmer development, a
technique seen in its breach of OXO in 2017 and 2018. RiskIQ says
MakeFrame's targets are similar: Each victim site belongs to a small
or midsize business, and none are especially well-known. OXO, a
US-based manufacturer of kitchen utensils and home goods, seems to be
an outlier for the group.

For all of the 19 victim websites, MakeFrame is hosted on the victim's
domain. Stolen data is posted back to the same server or sent to
another compromised domain for exfiltration. Magecart Group 7 also
uses the exfiltration method of sending stolen information as .php
files to other infected websites, researchers note. Each website used
for exfiltration has been compromised with a skimmer and is used to
host skimming code loaded onto other victim sites.

More information about the BreachExchange mailing list