GMO Sniffer Steals Card Data on US Websites

Delaware, USA – March 15, 2019 – Another group gets into the game using the notorious method of stealing payment card data using JavaScript code inserted to the site. The new family of skimmers, which experts from Group-IB called GMO (after the name of the site associated with the malicious campaign), was found on six websites in the US, as well as on the FILA sportswear site. The malicious script has been active for at least several months and, according to the researchers, was injected manually, which could indicate a beginning group. It is still unknown how adversaries compromised sites; allegedly, they exploited a vulnerability in the Magento e-commerce platform or conducted a brute force attack in order to obtain admin credentials. The group behind this skimmer uses several techniques to keep out of the spotlight and hide their creation from researchers eye. Despite the fact that administrations of compromised resources have reported on the GMO skimmer, the malicious code has not yet been removed.

Group-IB’s researchers are working on a report on JavaScript sniffers and the groups behind them. They promise to reveal details about the nine groups that remained below the radar for a long time. It is worth noting that the MageCart skimmers family is used by 12 competing groups continually improving their tools. Along with the heyday of e-commerce came the bloom of skimmers. To timely detect attempts to compromise your web resources and the injection of malicious code, you can use the Web Application Framework for ArcSight: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight