Sansec logo

Competing digital skimmers sabotage each other

Sansec

by Sansec Forensics Team

Published in Threat Research − November 20, 2018

Competing digital skimmers sabotage each other

Sabotage

Skimmers found to subtly sabotage each others fraud operations

Competition is grim in the online skimming business (aka "MageCart"). The aggressive MagentoCore skimmer was previously observed to kick contending parasites from its victim hosts. But this week, we discovered that the battle has entered a new stage: advanced sabotage of each others revenue streams and reputation.

Sample case in question: cosmetics shop Bliv.com. It contains multiple distinct skimmers that send credit cards to different exfiltration hosts. The more advanced one is onlineclouds.cloud, which is heavily obfuscated and uses cloaking techniques. But with some sweating and curses, we decoded it (full source).

The interesting part is copied below. It detects whether any cards are sent to the (competing but inferior) skimmer domains js-react.com and bootstrap-js.com. Then, it subtly changes the last digit of the intercepted card number, effectively sending bogus card numbers to its competitor:

jQuery.ajaxSetup({
  beforeSend: function (jqXHR, settings) {
    if (
      settings.url.indexOf("js-react.com") !== -1 ||
      settings.url.indexOf("bootstrap-js.com") !== -1
    ) {
      // ...
      var myRandom = Math.floor(Math.random() * 10);
      var old_cc = settings.data.match(cc);
      var new_data = settings.data.replace(
        new RegExp("[0-9]{13,16}", "g"),
        old_cc[0].slice(0, -1) + myRandom
      );
      settings.data = new_data;
    }
  },
});

Why the subtle sabotage, instead of just killing the inferior skimmer? On the dark web markets, reputation is everything. If one sells non-working cards, angry customers will publicly complain and it will destroy the competing "brand".

It is not likely that the MageCart battle will be finished soon, so stay tuned...

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01