MakeFrame, named for its ability to make iframes for skimming payment data, is attributed to Magecart Group 7.

Dark Reading Staff, Dark Reading

April 2, 2020

2 Min Read

A new Magecart skimmer, dubbed MakeFrame, has been observed compromising 19 victim websites. The skimmer was named for its ability to make iframes for skimming payment data.

RiskIQ researchers became aware of the new skimmer on Jan. 24, 2020. Since then, they have identified three versions of MakeFrame with varying levels of obfuscation, ranging from clear JavaScript code to encrypted obfuscation. In some cases, they observed MakeFrame using compromised websites for all three of its functions: hosting the skimming code, loading the skimmer onto compromised websites, and exfiltrating the stolen payment information. 

"There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7," researchers write in a blog post.

Magecart Group 7 also used victim websites for skimmer development, a technique seen in its breach of OXO in 2017 and 2018. RiskIQ says MakeFrame's targets are similar: Each victim site belongs to a small or midsize business, and none are especially well-known. OXO, a US-based manufacturer of kitchen utensils and home goods, seems to be an outlier for the group.

For all of the 19 victim websites, MakeFrame is hosted on the victim's domain. Stolen data is posted back to the same server or sent to another compromised domain for exfiltration. Magecart Group 7 also uses the exfiltration method of sending stolen information as .php files to other infected websites, researchers note. Each website used for exfiltration has been compromised with a skimmer and is used to host skimming code loaded onto other victim sites.

Read more details here.

Edgepromohorizontal.jpgCheck out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights