Magecart Group 7: Researchers at RiskIQ have outlined a new Magecart campaign they found affecting at least 19 e-commerce sites, which they have attributed to Magecart Group 7. Magecart is the umbrella term for multiple threat actors that compromise e-commerce websites to steal customer credit card data. Magecart attacks have been on a rising trend in recent months. The newest attack campaign from the group took only 22 lines of code to compromise the various websites and gain real-time access to sensitive data including credit card numbers. The new code, dubbed MakeFrame, injects HTML iframes into the webpages to steal the payment data as it is being entered. MakeFrame uses obfuscated code to avoid detection. Inside the skimming code, a blob of hex-encoded array of strings and obfuscated code is included between benign code to avoid detection. In a twist by the threat actor, the obfuscated code is much more difficult to analyze due to a check of the function _0x5cc230[‘removeCookie’] that ensures the code is not altered. This prevents researchers from altering the code to make it easier to read and understand. When the check passes, the code gets reconstructed by decoding obfuscated strings. Once the skimmer is added to the page, iframes create payment forms that trick users into believing they are entering their sensitive information into the website, but instead the form is sending the information to the threat actor. Some of the compromised websites are used to receive stolen data from other compromised sites, while others are configured to send the stolen data to a server at IP address 163.172.136[.]230, owned by the French cloud computing company Online S.A.S.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in