Get started in 5 minutes!

Postponed Exfiltration Evades Detection

The domain has recently emerged as a threat, employing various cunning techniques to evade detection and targeting unsuspecting users, but what makes it especially deceptive is its ability to postpone exfiltration until after the checkout flow, making it an alarming threat to online shoppers.

Pretense of Legitimacy

To appear authentic, checks the referrer address. If it doesn’t match the store’s URL, it serves a script from This helps it disguise its true identity and intentions.

Furthermore, the loader masquerades as a Google Analytics script and goes the extra mile to mimic legitimate behavior. For instance, it sets localStorage values like localStorage.setItem("font", "Helvetica"), creating the illusion of a genuine script.

Surprisingly, no obfuscation is used intentionally, possibly exploiting users’ trust in familiar scripts.

Loading & Exfiltration

When users click the checkout button, collects their credit card details. It enriches this data with the user’s IP address and user agent by calling

The serialized data is stored in localStorage under the key _sutoken.

On subsequent page requests, the loader checks localStorage and adds a serv parameter to the URL, such as:<serialized_cc_data>.

This enables the exfiltration of stolen data to a remote server.

Indicators of Compromise (IOCs)



class DetachCheckout extends DetachHandler


class DetachCheckout extends DetachHandler

Hackers get smarter every day.
Outsmart them with eComscan.

eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.

Scan your store now