Heads up: A new strain of card-skimming Grelos malware is on the loose

Magecart variant has changed and you should be alert, warns RiskIQ


A new offshoot of the Grelos card-skimming malware - a common Magecart variant - is doing the rounds, according to infosec biz RiskIQ.

The latest strain described by RiskIQ contains "a rehash" of the original code first seen in 2015-16, consisting of a loader and a skimmer, "both of which are base64 encoded five times over."

A unique cookie linked to the Grelos strain gave researcher Jordan Herman the clue he needed to track it.

Spotted in the wild as part of the compromise of US-based Boom! Mobile earlier this year, the latest Grelos strain was linked to Fullz House, a hacking crew that combined the skills of two separate criminal gangs who respectively specialised in phishing and card skimming, as RiskIQ previously explained in a separate blog post.

Linked to Magecart in 2018, the Grelos malware operates in a similar manner: at heart it's a card skimmer used for stealing customers' credit card details from online retail websites.

"In several recent Magecart compromises, we have seen increasing overlaps in infrastructure used to host various skimmers that are unrelated in terms of the techniques and code structures they employ," said RiskIQ. "We also observe new variants of skimmers reusing code seen over the last several years."

Different skimmer strains linked to Grelos have been "using the same infrastructure or other connections through WHOIS records and other malicious activities, such as phishing and malware during this investigation," wrote RiskIQ's Herman, who added that the Grelos strain appears to be linked to the oldest known Magecart operators, identified as Groups 1 and 2.

Typically, Magecart compromises occur because companies are careless about where they embed Javascript on their websites, as British Airways and Ticketmaster both found out to their cost.

Magecart is a recurring problem for e-commerce businesses, especially as the entire Western world has this year switched from shopping in bricks-and-mortar retailers to online shops thanks to COVID-19 lockdowns.

The malware is operated by various groups, numbering at least 12 in RiskIQ's view, who use it to steal credit card details from e-commerce businesses. ®


Biting the hand that feeds IT © 1998–2020