image
Just as seasonal online shopping kicks into high gear, new variants of the point-of-sale Grelos skimmer malware have been identified. Variants are targeting the payment-card data of online retail shoppers on dozens of compromised websites, researchers warn. The Grelos skimmer malware has been around since 2015, and its original version is associated with what are called Groups 1 and 2 under the prolific Magecart umbrella of loosely organized cybercriminals. However, over time new actors began to co-opt the Grelos skimmer and reuse some of the original domains used to host the malware. This has accumulated into what researchers say is a unique overlap in infrastructure for the most recent variants of the skimmer between Grelos and Magecart. In a new analysis, researchers said that a cookie found on a compromised website led to the discovery of Grelos – and they were then able to find links between new variants because they had matching infrastructure and identical records on the WHOIS query and response protocol (widely used for querying databases). “Recently, a unique cookie allowed RiskIQ researchers to connect a recent variant of this skimmer to an even newer version that uses a fake payment form to steal payment data from victims,” said researchers with RiskIQ in an analysis this week. “Domains related to this cookie have compromised dozens of sites so far.” The Skimmer Variant The new variants of the skimmer first appeared when researcher Affable Kraut documented it…

Source