With Black Friday-Cyber Monday looming, Grelos skimmer tied to Magecart poses threat

A new Grelos skimmer variant tied to Magecart Group could potentially lure online shoppers to fill out phony payment forms over the upcoming holidays.

A unique cookie could allow attackers to connect to a recent variant of the Grelos skimmer then to an even newer version that uses a fake form to steal payment data from victims, according to a blog from researchers at RiskIQ.  

Domains related to the cookie, they said, have compromised dozens of sites so far.

The researchers observed new variants of skimmers reusing code that’s been seen over the last several years and are distantly related to the earliest Magecart instances RiskIQ observed. The Grelos skimmer has been around since 2015 and has been connected to Magecart Group 1-2.

As the Magecart consortium carries out attacks, instead of a single, structured group, some of the actors have displayed a range of capability, sophistication, and intent, said Kacey Clark, a threat researcher at Digital Shadows. Skimming software has emerged as one of the most commonly used methods to steal card payment information from online services.

“Skimmers are the go-to tool for the Magecart consortium,” Clark said. “By engaging in multiple forms of attacks and continually developing new tools such as the Grelos skimmer, Magecart proves it can evolve and adapt to the landscape it faces.”

A similar tool named MakeFrame was explicitly developed by Magecart and used the group’s hallmark characteristics, such as hex-encoded terms and obfuscated code, Clark said. Attackers target of small and medium-sized businesses, in tandem with compromised domains, to fulfill MakeFrame’s three functions: hosting malicious code, injecting the skimmer onto other compromised domains and data exfiltration.”

Dirk Schrader, global vice president at New Net Technologies, said RiskIQ’s detailed reporting indicates knowledge-sharing among card skimmer groups.

“This has a high-risk potential for the average web-user related to the coming Black Friday-Cyber Monday period as it is a dangerous bundling of knowledge and resources,” Schrader said. “People will have to be extra careful when shopping online as smaller web shops are more likely to be compromised than larger ones.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.