Grelos Skimmer is the name given a strain of malware deployed by hackers in Magecart-style attacks. The Grelos Skimmer has been in use for several years ever since it was first detected back in 2015. During that time, multiple variants have been developed and unleashed by several different hacker groups creating considerable confusion when trying to distinguish the operations of one group from another.
Magercart denotes an attack operation that sees hackers compromising and stealing credit card data from e-commerce websites specifically. Hundreds of websites have fallen victim to this attack, including some major brands such as British Airways and Ticketmaster. Many cybercriminals jumped in, resulting in the creation of numerous groups that have specialized in conducting such attacks. In the current landscape, the separate characteristics of the Magecart threat actors are starting to blend. Prime examples are the latest Grelos Skimmer variants that have been uncovered by the researchers at RiskIQ.
These new skimmer threats reuse significant portions of older code, with some sections able to be traced to the first Magecart instances. Despite being released by different groups, there is a significant overlap in the strains - they contain a loader stage and a skimmer stage, use base64 encoding, and Web sockets for data exfiltration. Only minor differences have been found, such as one using one layer of base64 encoding while the other generates five layers. However, the latest version has been equipped with a fake payment form that harvests all of the data users input into it. According to the researchers, dozens of sites have already been compromised by this Grelos Skimmer variant.