External Threat Management Labs Magecart

“Bom” Skimmer is Magecart Group 7’s Latest Model

RiskIQ has tracked Magecart since skimmers first surfaced in 2014 and burst into the headlines in the landmark attack against British Airways in 2018. In the time since, our researchers have cataloged hundreds of iterations of Magecart skimmers as different threat groups build, appropriate, tweak, and develop them to suit their unique purposes. 

Despite their ongoing changes, these skimmers often maintain enough of the same characteristics and infrastructure for keen eyes to link them to past attacks and the responsible groups. In the case of the newly identified "bom" skimmer, which has been deployed on dozens of counterfeit online stores, distinct features and TTPs linked us directly to its predecessor skimmers, including the widespread MakeFrame version. It also pointed us to its operators, Magecart Group 7. 

Group 7 and the Rise of Bom

RiskIQ's 2018 Inside Magecart report noted several distinct features of Group 7 skimmers, including one on a compromised site using dual exfiltration paths via get requests to two other compromised sites. 

In July 2019, Sansec noted a skimmer seen on more than 960 compromised sites. Although the code differed from our earlier sample, most functions in the Sansec sample remained the same—the exfiltration still relied on dual get requests. One of these requests was pointed at another compromised site, while the other pointed to an actor-controlled server. Based on these similarities and other analyses, RiskIQ Magecart expert Yonathan Klijnsma attributed the Sansec sample to Group 7. 

On December 3, 2019, @jknsCo tweeted about a skimmer injecting its own payment form into compromised e-commerce sites. The skimmer contained a unique function name: bom. 

On December 10, 2019, Malwarebytes documented a skimmer and its appearance on hundreds of counterfeit online stores. The exfiltration URL seen by Malwarebytes used the same IP address as the "bom" skimmer. 

Malwarebytes also publicly posted a deobfuscated sample of the above skimmer. Comparing this sample to that provided by Sansec yields several similarities. For example, both exfil paths are defined as "urll." Also, both skimmers define a function named "addtoev" that is structurally similar in both.

You can see more analysis of these skimmers and visit the IOCs linking them in the RiskIQ Threat Intelligence Portal

Bom Surfaces Again

Recently, RiskIQ researchers noticed a skimmer appearing on a large number of counterfeit online stores. Comparison of this skimmer to those noted above led us to conclude that they are directly related. The skimmer includes a function named "boms" and is constructed similarly to the sample provided by Malwarebytes. 

Like the skimmers noted above, the "boms" skimmer surfaced by RiskIQ also uses dual exfil paths and has a nearly identical "path" element. It even injects its own payment form into the compromised site. 

On September 15, 2021, a Twitter conversation between researchers connected this skimmer to actor-controlled servers. One of these IPs was used by a version of this skimmer for exfiltration as early as May 2020.

You can examine more of the infrastructure shared by these skimmers in the RiskIQ Threat Intelligence Portal

MakeFrame: The Precursor to Bom

The Bom skimmer dropped another clue that helped us tie it to Group 7 activity. It used a function naming convention favoring a double "R" that reminded us of another skimmer we documented in April 2020, MakeFrame

Like the "bom" skimmer reported in 2019, MakeFrame also created its own payment forms from which it skimmed data and also exfiltrated data via compromised websites and dedicated servers. However, the exfil paths no longer appeared in tandem. Instead, only one exfil path appeared at a time. 

The skimmer also added functionality to exfiltrate data through either get or post requests rather than get requests exclusively. 

The construction below performs either a "POST" or a "GET," depending on whether "dataobject" evaluates to true or false. The colon acts as an "if" in this context, and in this instance, "url" is defined in the script and points to a compromised site. Other instances of this skimmer used an actor-controlled server for the "url" object.

Skimmer construction

Tracking and Defeating Magecart

RiskIQ first documented Magecart Group 7's activities and skimmer in our 2018 report Inside Magecart. Later, we uncovered one of its newer skimmers, MakeFrame. 

Samples we gathered while investigating the MakeFrame skimmer showed it in different stages of development, using victims' sites to test out the skimmer. The skimmer also used both compromised sites and actor-controlled servers for data exfiltration. 

However, it appeared that the group was experimenting with a new skimmer that included elements of MakeFrame. As the line of skimmer succession goes, Group 7 integrated certain parts of MakeFrame and other skimmers into a new version we've dubbed "bom." After analyzing the skimmer more closely, we tracked these specific code elements to past Group 7 skimmers. 

In this investigation, we traced the history of its development to understand past attacks and better address future ones. Understanding, attributing and enumerating threat infrastructure like this is key intelligence that helps scale defenses and prepare your team to meet threats head-on. 

For our full analysis and list of IOCs, visit the RiskIQ Threat Intelligence Portal. For more Magecart analysis and research, visit the RiskIQ blog

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor