A new strain of e-skimming malware has been identified by researchers at RiskIQ recently. The malware is similar to Grelos which is commonly associated with Magecart. This time, the code has been rehashed and encoded numerous times to include a loader and skimmer. This specific strain was believed to be used in the attack of mobile phone service provider Boom! Mobile which was also tracked back to the Fullz House group. This group formed as the cohesion between threat actors that specialized in phishing and skimming. “In several recent Magecart compromises, we have seen increasing overlaps in infrastructure used to host various skimmers that are unrelated in terms of the techniques and code structures they employ,” stated RiskIQ. The Grelos malware has been consistently linked to Magecart Groups 1 and 2. We will know soon if this strain similar to Grelos will be used more commonly since the holidays are right around the corner and online shopping will be at its peak.
Analyst Notes
Any suspicious communication between client web browsers and malicious or unexpected servers via JavaScript should be monitored for any indications that unauthorized code has been added to a checkout page. File integrity changes can also be monitored in an effort to look for changes. Any online business using web servers as a part of their e-commerce should consider using a Security Operations Center (SOC) that operates on a 24/7 basis to detect any unauthorized access. Consumers should also consider using one-time virtual credit cards to check out online, this will greatly reduce the risk of being skimmed because each virtual credit card number can only be used one time, and isn’t valid if stolen and used later.
Source: https://www.theregister.com/2020/11/18/magecart_grelos_research/?&web_view=true
