It is remarkable that so many different platforms are compromised in the same campaign. Typically, criminals exploit a flaw in a single platform. Attackers may have breached a shared component, eg software or a service that is used by all affected merchants.
Another curious technique is that this skimmer uses programmatically generated exfiltration domains. It keeps a counter and uses base64 encoding to produce a new domainname:
This will lead to, for example, these exfiltration domains. The first one was registered on August 31st.
zg9tywlubmftzw5ldza.com zg9tywlubmftzw5ldze.com zg9tywlubmftzw5ldzu.com zg9tywlubmftzw5ldzq.com zg9tywlubmftzw5ldzm.com zg9tywlubmftzw5ldzy.com zg9tywlubmftzw5ldzi.com zg9tywlubmftzw5ldzg.com zg9tywlubmftzw5ldzk.com zg9tywlubmftzw5ldzez.com zg9tywlubmftzw5ldzex.com zg9tywlubmftzw5ldzew.com zg9tywlubmftzw5ldzey.com zg9tywlubmftzw5ldze0.com zg9tywlubmftzw5ldze1.com
The raw malware is hidden on the stores like this:
To summarize: this campaign shows that platforms are no boundary to the profitable fraud of online skimming. Wherever customers enter their payment details, they are at risk. Merchants should implement measures to actively counter this.