Magecart Skimmer Campaign Compromised 19 Websites To Steal Payment Card Data


A new Magecart skimmer has surfaced online that compromised a least 19 different websites in a recent campaign. While the skimmer was new, it served the same old purpose – stealing payment card data from websites.

Researchers from RiskIQ have discovered a new Magecart skimmer that took over numerous websites in a recent campaign. Dubbed MakeFrame, this skimmer compromised 19 different websites to steal customers’ card data.

Elaborating on their findings in a post, researchers stated that the new skimmer seemingly belonged to the Magecart Group 7. A more in-depth analysis of the skimmer revealed that it exhibited sophisticated obfuscation techniques to avoid detection. As stated,

This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code. It is nestled in amongst benign code to blend in and avoid detection.

The researchers could detect numerous versions of this skimmer. Some of these sported high-level obfuscation, whereas some had clear codes. Analyzing all of these let the researchers related all the skimmers o different websites.

Besides, the attackers behind this skimmer did not only aim at stealing data. Instead, they also intended to achieve more targets from the victim sites.

In some cases, we’ve seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data.

Detailed technical analysis of the skimmers is available in the researcher’s post. The researchers shared that they observed a 20% rise in Magecart attacks in the present days. Though, Magecart skimming attacks are nothing new.

Magecart attacks have grown 20% amid the COVID-19 pandemic. With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever.

In the present-day scenario, when people are obliged to shop online, such attacks pose a higher level of threat, risking more users. Yes, we have witnessed in the past how the attackers never miss exploiting global disasters to gain benefits. For instance, the skimming attack on an Australia bushfire donation site a couple of months ago.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.