New MakeFrame Skimmer Claims 19 Victims

At least 19 websites have fallen victim to a new data skimmer that appears to have been developed by threat group Magecart Group 7.

Dubbed 'MakeFrame' by researchers at RiskIQ, the new data skimmer has been spotted out in the wild in several different versions.

Researchers first came across the skimmer on January 24. Since then, MakeFrame has been spotted hosting skimming code, loading the skimmer on other compromised websites, and exfiltrating stolen data. 

"There are several elements of the MakeFrame skimmer that are familiar to us, but it’s this technique in particular that reminds us of Magecart Group 7," wrote researchers.

RiskIQ has identified three distinct versions of the skimmer with varying levels of obfuscation, from clear JS code to encrypted obfuscation. Some of these appear to be dev versions running debug processes, one of which even includes a version number.

"Magecart Group 7 also used victim sites for skimmer development, as we observed when they compromised OXO in 2017 and twice in 2018," said researchers.

The team at RiskIQ said the multiple versions of MakeFrame were evidence of threat actors' constant hunt for new ways to cheat and steal from yet more victims. 

"This latest skimmer from Group 7 is an illustration of their continued evolution, honing tried and true techniques and developing new ones all the time. They are not alone in their endeavors to improve, persist, and expand their reach," wrote researchers.

When studying the new threat, researchers noted that MakeFrame was targeting the same victim pool as Group 7. 

"Each of the [compromised] sites belongs to a small or medium-sized business, and none are particularly well known, with OXO being a bit of an outlier in their history."

The nefarious data-stealing methods used by MakeFrame also echo those deployed by Magecart Group 7, sending stolen data as .php files to other compromised sites for exfiltration. 

Researchers noted that data-skimming attacks were on the rise at a time when people the world over are working and shopping from home as a result of the COVID-19 outbreak. 

"RiskIQ data shows Magecart attacks have grown 20% amid the COVID-19 pandemic. With many homebound people forced to purchase what they need online, the digital skimming threat to e-commerce is as pronounced as ever," wrote researchers.  

What’s Hot on Infosecurity Magazine?