Malwarebytes has discovered a skimmer that uses the “Mr.SNIFFA” framework and targets e-commerce websites and their customers.
Malwarebytes‘ threat intelligence team has identified a Magecart skimmer that uses the mr.SNIFFA toolkit and targets e-commerce websites and their customers.
The discovered skimmer uses various obfuscation techniques as well as steganography to spread malicious codes and exfiltrate stolen credit card data. Usually, Magecart threat actors choose domain names according to third-party libraries or Google Analytics. However, in this case, the skimmer domain referred to public figures or names known in the cryptocurrency world.
Malwarebytes investigated the Skimmer’s infrastructure at Russia-based provider DDoS-Guard in more detail and came across a number of other malicious domains, as well as a kind of digital criminal haven for stolen credit card data, cryptocurrency fraud, Bitcoin mixers, and malware distribution sites. Technical details about Skimmer and its ecosystem are available in Malwarebytes’ latest report.
The stolen credit card data is sent back to the attackers using the same special character encoding.
Magecart briefly explained