Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM

New Magecart Skimmer Infects 19 Victim Websites

MakeFrame, named for its ability to make iframes for skimming payment data, is attributed to Magecart Group 7.

A new Magecart skimmer, dubbed MakeFrame, has been observed compromising 19 victim websites. The skimmer was named for its ability to make iframes for skimming payment data.

RiskIQ researchers became aware of the new skimmer on Jan. 24, 2020. Since then, they have identified three versions of MakeFrame with varying levels of obfuscation, ranging from clear JavaScript code to encrypted obfuscation. In some cases, they observed MakeFrame using compromised websites for all three of its functions: hosting the skimming code, loading the skimmer onto compromised websites, and exfiltrating the stolen payment information. 

"There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7," researchers write in a blog post.

Magecart Group 7 also used victim websites for skimmer development, a technique seen in its breach of OXO in 2017 and 2018. RiskIQ says MakeFrame's targets are similar: Each victim site belongs to a small or midsize business, and none are especially well-known. OXO, a US-based manufacturer of kitchen utensils and home goods, seems to be an outlier for the group.

For all of the 19 victim websites, MakeFrame is hosted on the victim's domain. Stolen data is posted back to the same server or sent to another compromised domain for exfiltration. Magecart Group 7 also uses the exfiltration method of sending stolen information as .php files to other infected websites, researchers note. Each website used for exfiltration has been compromised with a skimmer and is used to host skimming code loaded onto other victim sites.

Read more details here.

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format.
PUBLISHED: 2020-06-03
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
PUBLISHED: 2020-06-03
Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation, resulting in a reflected cross-site scripting vulnerability.
PUBLISHED: 2020-06-03
Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the path to the `play` command on the Jenkins master for a form validation endpoint, resulting in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master.