Emerging MakeFrame Skimmer from Magecart Sets Sights on SMBs

Attacks using a brand-new card-harvesting code is targeting small- to medium-sized businesses, claiming 19 sites so far.

Researchers have observed a new skimmer from the prolific Magecart Group that has been actively harvesting payment-card data from 19 different victim websites, mainly belonging to small- and medium-sized businesses (SMBs), for several months.

RiskIQ researchers first discovered the skimmer, dubbed MakeFrame for its use of iframes to skim data, on Jan. 24. Since then, they’ve captured several different versions of the skimmer with “various levels of obfuscation,” researchers Jordan Herman and Mia Ihm wrote in a blog post published Thursday.

The versions range from from development versions in clear code to finalized versions using encrypted obfuscation, they wrote.

“This version of the skimmer is the classic Magecart blob of hex-encoded terms and obfuscated code,” Herman and Ihn wrote. “It is nestled in amongst benign code to blend in and avoid detection.”

MakeFrame also leeches off the compromised site for its functionality, a technique that in particular alerted researchers that MakeFrame is most likely the work of Magecart Group 7. And, targeting SMB sites, as MakeFrame does, also is indicative of Magecart Group 7 activity, researchers said.

“In some cases, we’ve seen MakeFrame using compromised sites for all three of its functions — hosting the skimming code itself, loading the skimmer on other compromised websites and exfiltrating the stolen data,” Herman and Ihm wrote.

Indeed, Magecart Group 7 typically uses victim sites for skimmer development, which was also observed when the group compromised OXO in 2017 and in activity by the group in 2018, researchers wrote.

“In all of these cases, the skimmer is hosted on the victim domain,” according to the analysis. “The stolen data is posted back to the same server or sent to another compromised domain.”

Another aspect of MakeFrame that links the new skimmer back to Magecart Group 7 is its method of exfiltration of data once it’s stolen, Herman and Ihm noted. The skimmer sends stolen data in the form of .PHP files to other compromised sites for exfiltration, they said.

“Each compromised site used for data exfil has also been injected with a skimmer and has been used to host skimming code loaded on other victim sites as well,” the researchers added.

Magecart Group 7 is one of a number of threat actors operating under the Magecart umbrella, which includes several different groups who all use a similar attack vector. Magecart attacks compromise websites — principally built on the Magento e-commerce platform – to inject card-skimming scripts on checkout pages to steal customer payment-card details and other data entered on the page’s fields.

The group has been active since 2016 and consistently switches tactics to target e-commerce platforms to steal people’s payment and other credentials.

Skimmers are the primary weapons of choice for the various Magecarts groups, but they have also engaged in other nefarious activities such as brute-forcing passwords, spoofing third-party payment sites and even targeting Wi-Fi routers with malicious code to steal customer data.

The latest skimmer uncovered by RiskIQ shows the group’s “continued evolution, honing tried-and-true techniques and developing new ones all the time,” researchers wrote.

The onset of stay-at-home orders amid the COVID-19 pandemic also seems to have inspired Magecart to bolster activity as more people conduct business online, with many brick-and-mortar shops and shopping malls closed, researchers noted.

“RiskIQ data shows Magecart attacks have grown 20 percent amid the COVID-19 pandemic,” Herman and Ihm wrote. “With many home-bound people forced to purchase what they need online, the digital-skimming threat to e-commerce is as pronounced as ever.”


Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles