Magento Skimmers

Post a Comment

Obfuscation Method Leverages Google Analytics

Eventually the obfuscation used by this campaign has evolved into a more elaborate one which pretends to be Google Analytics code.

Skimmer disguised as Google Analytics

Indeed it is very similar to Google’s real code, which looks like this:

Real Google Analytics code

There is almost no difference between the skimmer and legitimate analytics sample—except for some extra base64-encoded values along with short instructions to decode (atob), which use these values instead of Google’s original ones.

Variations of the Malware

In the case above, the encoded values are bGlnaHRnZXRqcy5jb20vbGlnaHQuanM= (lightgetjs[.]com/light.js) and Y2hlY2tvdXQ= (checkout). For pages with the keyword “checkout” in their URLs, the code loads a credit card skimmer from lightgetjs[.]com/light.js.
As seen in the previous series of attacks, this was not the only domain used in the new wave of this campaign. We’ve found many different variations of this script with the following combinations of the encoded values (not a complete list):

aHR0cHM6Ly9hamF4c3RhdGljLmNvbS9hcGkuanM/dj0yLjMuNg==, b25lcGFnZQ==
hxxps://ajaxstatic[.]com/api.js?v=2.3.6, onepage

anNnbG9iYWwudG9wL2FwaS5qcw==, b25lcGFnZQ==
jsglobal[.]top/api.js, onepage

c2VjdGlvbi53cy9pby5qcw==, Y2hlY2tvdXQ=
section[.]ws/io.js, checkout

cmFja2FwaWpzLmNvbS9hcGkuanM=, Y2hlY2tvdXQ=
rackapijs[.]com/api.js, checkout


All of these URLs point to the same server that also hosts a few more domains used in this campaign:
  • mediapack[.]info Creation Date: 2017-05-04
  • lightgetjs[.]com Creation Date: 2019-04-23
  • section[.]ws Creation Date: 2019-05-20
  • sectionio[.]com Creation Date: 2019-05-20
  • rackapijs[.]com Creation Date: 2019-03-23
  • authorizeplus[.]com Creation Date: 2019-02-17
  • priceapigate[.]com Creation Date: 2019-04-23
  • ajaxstatic[.]com Creation Date: 2019-01-11
  • topapigate[.]com Creation Date: 2019-05-13
  • jsglobal[.]top
These domains have been migrating from one server to another. This past July, we saw them resolve to IPs that belong to the Chinese corporation.
  •  – China Hangzhou Singapore E-commerce Private Limited
  • – China Hangzhou Llc
The script uses the following encoded values: bWFnZWVudG8uY29tL3YzL2FwaS9sb2dzLmpz (mageento[.]com/v3/api/logs.js), b25lc3RlcGNoZWNrb3V0Cg== (onestepcheckout)
The mageento[.]com domain was created on February 22, 2019 and is currently hosted on a server with the IP (Hong Kong), along with a few other well-known skimmer domains such as g-statistic[.]com, googleadservicesonline[.]com, onlineclouds[.]info, onlineclouds[.]cloud.

keyword : Black Hat Tactics, Google, Hacked Websites, Obfuscation, Magento. Exploit

Related Posts

Post a Comment