As security researchers shine more light on the world of Magecart, we see that this vast card-skimmer underworld is more and more intertwined and connected. As we draw these parallels between different attacks, skimmers, and other infrastructure, many things become more transparent, like which groups are responsible, how they target their victims, and how their tooling evolves. Just last week, RiskIQ published a report tying the ubiquitous 'Ant and Cockroach' skimmer to Magecart Group 12, which indicated just how far-reaching the group's infrastructure and activity have become.
However, as more of the Magecart landscape comes to the surface, things also get more murky and complicated. In many recent Magecart compromises, we've seen increasing overlaps in infrastructure used to host different skimmers that seem to be deployed by unrelated groups using various techniques and code structures. We also observe new variants of skimmers reusing code seen in the past. For instance, the compromise of boom! Mobile involved the Full(z) House skimmer hosted on infrastructure not previously associated with Full(z) House. This same infrastructure hosted skimming domains we observed loading other skimmers, including different versions of the grelos skimmer. This pattern may indicate that different skimming groups use the same infrastructure to host their skimming domains, possibly purchasing hosting services from the same third party.
Article Link: https://www.riskiq.com/blog/external-threat-management/magecart-grelos/