Grelos Skimmer Variant Co-Opts Magecart InfrastructureResearchers: Skimmer Compromised Website of Boom! Mobile In October
Researchers have identified a fresh variant of the Grelos skimmer that has co-opted the infrastructure that MageCart uses for its own skimming attacks against e-commerce sites, security firm RiskIQ says.
Although Grelos has been active since 2015, the researchers note in the report that the new variant was discovered after it compromised Boom! Mobile's website in October.
The latest version of Grelos is considerably more complex than other variants of the skimmer previously uncovered, says Jordan Herman a threat researcher at RiskIQ. The difference this time is that the skimmer might not be as effective.
"So, while the new Grelos skimmer has more impressive functionality and obfuscation than previous iterations, I think it is probably less effective than the original because there is more awareness and tracking [of skimmers] these days," Herman says.
So far, the skimmer has been found on several small and mid-size e-commerce sites in the U.S., Canada, France, Chile and the United Arab Emirates, Herman says.
Some of the Magecart tools used by the operators of Grelos include WebSockets for skimming, loader components as well as domains that are linked to Magecart for hosting the malware, the report notes.
"We believe this skimmer is not directly related to [Magecart] Group 1/2's activity from 2015-16, but instead a rehash of some of their code," according to RiskIQ. "This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over."
RiskIQ says it discovered the new Grelos variant after the firm's analysts examined domains provided by independent security researchers AffableKraut and Denis Sinegubko, who were responding to an update from security firm Malwarebytes concerning attacks on Boom! Mobile’s website.
After investigating the cookies that were connecting to the domains listed by the security researchers, RiskIQ found that some were connecting to four skimming domains used by the attackers.
"A unique cookie allowed us to connect a recent variant of this skimmer to an even newer version that uses a fake payment form to steal payment data from victims," the RiskIQ report notes. "Domains related to this cookie have compromised dozens of sites so far."
RiskIQ also notes the majority of the malicious domains linked to the skimmers were hosted on ASN 45102, a hosting provider that is currently popular with several different Magecart actors.
Further, the overlap between the skimmer infrastructure and the domain connections led RiskIQ researchers to conclude the new Grelos variant is among the latest skimmer variants that leverage Magecart.
Since January, RiskIQ notes it has collected several versions of the MakeFrame skimmer, ranging from code that is still in development to fully functioning versions that use encryption and obfuscation techniques to hide their presence.
Magecart Attacks Increase
Magecart groups have been blamed for skimming attacks against companies that include British Airways, Ticketmaster and Newegg (see: Magecart Group Continues Targeting E-Commerce Sites).