Researchers analyzed a JavaScript skimmer used by MagecartSecurity Affairs

Cyble researchers analyzed a new, highly evasive JavaScript skimmer used by Magecart threat actors.

Cyble Research & Intelligence Labs began its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites.

In Magecart attacks against Magento online stores, attackers attempt to exploit vulnerabilities in the popular CMS to gain access to website source code and inject malicious JavaScript. The malicious code is designed to capture payment data (credit/debit owner name, credit/debit card number, CVV number and expiration date) from payment forms and payment pages. The malicious code also performs certain checks to determine that the data is in the correct format, for example by analyzing the length of the data entered.

In this specific case, the researchers discovered that when a user visits the compromised website, the skimmer loads the payment overlay and asks the user to enter payment information.

The skimmer is obfuscated and embedded in the “media/js/js-color.min.js” JavaScript file

Once the victim enters their payment data in the form, the JavaScript file collects it and then sends the Base64 encoded data to the URL included in the JavaScript using the POST method

Cyble experts have noticed that while executing the JavaScript, it checks if the browser’s developer tool is open to avoid being parsed.

“Online shopping activity is constantly increasing due to its ease of use, digital transformation and convenience. Skimmer groups continue to infect e-commerce sites in large numbers and improve their techniques to stay undetected,” the report concludes. “Historically, Magento e-commerce sites have been the most targeted victims of skimmer attacks. When using an e-commerce website, be sure to only use known and legitimate platforms.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Log4Shell)

Comments are closed.