As security researchers shine more light on the world of Magecart, we see that this vast card-skimmer underworld is more and more intertwined and connected. As we draw these parallels between different attacks, skimmers, and other infrastructure, many things become more transparent, like which groups are responsible, how they target their victims, and how their tooling evolves. Just last week, RiskIQ published a report tying the ubiquitous 'Ant and Cockroach' skimmer to Magecart Group 12, which indicated just how far-reaching the group's infrastructure and activity have become. 

However, as more of the Magecart landscape comes to the surface, things also get more murky and complicated. In many recent Magecart compromises, we've seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups that use various techniques and code structures. We also observe new variants of skimmers reusing code seen in the past. We illustrate both of these observations in our full analysis of the latest version of the Grelos skimmer.

This overlapping infrastructure includes a hosting provider used by several skimming domains we observed loading multiple, unrelated skimmers - including the Inter skimmer and different versions of Grelos. We even saw domains loading the Inter skimmer and the Grelos skimmer from the same IP address. Full(z) House used this same hosting provider to carry out its most recent skimming attacks, including the compromise of boom! Mobile. This pattern may indicate that various skimming groups use the same infrastructure to host their skimming domains, possibly purchasing hosting services from the same third party.

A New Grelos Skimmer Emerges

The skimmers we explored in our latest article in the RiskIQ Threat Intelligence Portal seem to be related to the earliest Magecart instances RiskIQ had ever observed, back when we exposed this form of digital credit card skimming and coined the term. 

The Grelos skimmer has been around since 2015, and its original version is associated with Magecart Groups 1 and 2. However, other actors co-opted the skimmer and even continue to use some of the original domains that the original groups used to load the skimmer. Recently, a unique cookie allowed RiskIQ researchers to connect a recent variant of this skimmer to an even newer version that uses a fake payment form to steal payment data from victims. Domains related to this cookie have compromised dozens of sites so far.

Grelos’ Rapid Evolution

Like many other good skimmers, Grelos' utility has led to longevity. However, these long-lived skimmers evolve and change significantly over time, and Grelos is no exception. In July, researcher Affable Kraut (@AffableKraut) described a recent variant of the skimmer featuring multiple layers of base64 obfuscation hiding a two-stage skimmer. 

Our researchers observed this version of the skimmer while looking at domains provided in replies to a Twitter thread by Malwarebytes about recent Full(z) House activity. These domains led us to a cookie, which, using RiskIQ's Internet Intelligence Graph in RiskIQ Passivetotal, enabled our researchers to connect more skimming domains. These connections were interesting because skimmer domains sharing an identical cookie is extremely unusual. When researchers looked at what these domains were loading on victim sites, they found an even newer variant of the Grelos skimmer. 

Our researchers saw more overlaps between different skimmers by matching infrastructure and through WHOIS identical records. They also found links to skimmers and other malicious activities during this investigation, such as phishing and malware, which they'll explore in forthcoming publications. There were also links between Group 12's skimming infrastructure and other cybercrime activity noted in our recent analysis of the Ant and Cockroach skimmer, which may indicate a trend of skimmers being used alongside other tactics in broader threat campaigns. 

Scale your Defense in Response

Magecart attacks have skyrocketed, with RiskIQ detecting new attacks every few minutes. With more and more researchers looking into this growing threat, the massive scope of Magecart's cybercrime empire and its mind-boggling intricacies is finally being exposed. In this research, the alarming rate at which Magecart skimmers are evolving became apparent. In response, organizations must scale their defense to meet this growing threat and be aware of how Magecart affects its attack surface. 

Recently, Ticketmaster's UK division has been fined over Magecart attacks RiskIQ surfaced in 2018. British Airways has also been fined for a Magecart breach exposed 400k customer credit card details, which RiskIQ reported earlier in 2018. 

Magecart attacks are expected to increase against e-commerce as the holiday shopping season continues to ramp up, with more consumers shopping online because COVID-19 will prevent them from visiting brick and mortar shops. Having the latest intelligence on Magecart will be paramount, as well as maintaining visibility into your organization's attack surface. The best defense against Magecart is keeping on top of their tactics and knowing the code your website runs, including third-party code. Immediately patching vulnerable systems can prevent harm to your customers and, as we've seen, a hefty fine. 

Be sure to check-in on RiskIQ's Threat Intelligence portal as we continue to track Magecart and publish everything that can help you defend your organization. For the full report on the new Grelos skimmer, including IOCs, visit the intelligence card here.