Magecart Group 12, known for skimming payment information from online shoppers, was fingered for last September s gonzo attack on more than 2,000 e-Commerce sites. The skimmers are still very active, according to Malwarebytes Labs Threat Intelligence Team. The group is using PHP web shells to gain remote administrative access to the sites under attack to steal credit-card data, rather than using their previously favored JavaScript code. Magecart continues to launch attacks with malware created to mimic a favicon.
Source: https://threatpost.com/magecart-server-side-itactics-changeup/166242/