New Grelos skimmer variant reveals overlap in Magecart group activities, malware infrastructure

The discovery of a new skimmer variant reveals the difficulties associated with tracking separate Magecart campaigns.
Written by Charlie Osborne, Contributing Writer

A new variant of a skimmer has revealed the increasingly muddy waters associated with tracking groups involved in Magecart-style attacks. 

On Wednesday, researchers from RiskIQ described how a new Grelos skimmer has shown there is "increased overlaps" in Magecart infrastructure and groups, with this malware -- alongside other forms of skimmer -- now being hosted on domain infrastructure used by multiple groups, or connected via WHOIS records, known phishing campaigns, and the deployment of other malware, creating crossovers that can be difficult to separate. 

See also: Magecart group uses homoglyph attacks to fool you into visiting malicious websites

Magecart is an umbrella term used to describe information stealing campaigns and threat actors that specialize in the theft of payment card data from e-commerce websites. 

Several years ago, well-known brands including British Airways and Ticketmaster became the first major victims of this form of attack, and since then, countless websites have fallen prey to the same technique. 

The new variant of the Grelos skimmer, malware that has been around since at least 2015 and associated with Magecart groups 1 and 2, is similar to a separate strain described by researcher @AffableKraut in July. This variant is a WebSocket-based skimmer that uses base64 obfuscation to hide its activities. 

"We believe this skimmer is not directly related to Group 1-2's activity from 2015-16, but instead a rehash of some of their code," RiskIQ says. "This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over."

CNET: Trump fires top cybersecurity official for debunking election fraud claims

Following a Magecart attack on Boom! Mobile, RiskIQ examined links established by Malwarebytes and this attack, in which the Fullz House group loaded malicious JavaScript on the mobile network provider to scrape customer data.

The domains used in this cyberattack led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com.

However, instead of finding the Fullz House skimmer, the researchers uncovered a new Grelos skimmer variant. This strain has a similar base64 encoded loader stage, but only features one layer of encoding, duplicate script tags, spelling mistakes, and includes a dictionary called "translate" which contains phrases used by fake payment forms created by the malware. Web sockets are still used for data exfiltration. 

TechRepublic: Webex security flaw allows people to secretly sneak into meetings as "ghosts"

RiskIQ has observed new variants of Magecart-related skimmers reusing code over the past few years. The company says that the Fullz House skimmer has been co-opted by other hacking groups, even leveraging some of the same infrastructure -- such as hosting providers -- to host other skimmers, including Grelos, which also shares IPs with the Inter skimmer

This, in turn, is creating a "murkiness" when it comes to tracking the activities of separate Magecart groups, many of which are actively launching new attacks against e-commerce companies on a daily basis. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards