Cyber criminals are taking advantage of unprecedented volumes of traffic to online shopping websites during the Covid-19 coronavirus pandemic, with Magecart credit card skimming attacks ramping up, according to RiskIQ researchers Jordan Herman and Mia Ihm.
“With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever,” said Herman and Ihm in a disclosure blog.
“As we saw in the attacks on NutriBullet and other victims, there are a variety of ways to attack the functionality of a website. Operatives with the right know-how and enough time will find them.”
The researchers highlighted the recent rise to prominence of a new Magecart skimmer, which they have dubbed MakeFrame in a nod to its ability to make iframes for skimming payment data.
Since it was first spotted in January, MakeFrame has already been seen deployed on 19 different victim sites.
RiskIQ said it was continually observing evolutions in the techniques that cyber crime groups using Magecart employ to skim data and obfuscate the code they use to do so, noting that they were becoming increasingly capable.
As a case in point, several different versions of MakeFrame have been found sporting various levels of obfuscation, including dev versions in clear code, and finalised versions using encryption.
“In some cases, we’ve seen MakeFrame using compromised sites for all three of its functions – hosting the skimming code itself, loading the skimmer on other compromised websites and exfiltrating the stolen data,” they said, referring to previous attacks by this group, which used the website of kitchenware firm OXO for skimmer development when they compromised it previously.
“There are several elements of the MakeFrame skimmer that are familiar to us, but it’s this technique in particular that reminds us of Magecart Group 7.”
Herman and Ihm said the pool of MakeFrame victims appeared to be similar to Group 7’s preferred targets – generally small or medium-sized retailers, none of them especially well known, OXO being somewhat of an outlier.
In each case, they found, the skimmer was hosted on the victim’s own domain with the stolen data posted back to the same server or another compromised domain in a .php file, the same group’s modus operandi.
“This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time,” said Herman and Ihm. “They are not alone in their endeavours to improve, persist and expand their reach.”
While it’s hard for consumers to know when a retail website they are using has been compromised by a Magecart credit card skimmer, there are a few steps they can take to maximise their resilience against online credit card fraud.
Useful steps to take include: using third-party, one-time use payment methods such as those offered by Apple Pay, Google Wallet or PayPal – although these methods are not hacker-proof in and of themselves; enabling purchase alerts and monitoring services on credit cards to minimise their utility to criminals; disabling international purchases on credit cards to limit criminals’ ability to profit from the theft; and finally, only shopping on a personal, trusted W-Fi network, or on 4G or 5G mobile networks.