Crypto-Inspired Magecart Skimmer

Crypto-Inspired Magecart Skimmer

Malwarebytes has discovered a skimmer that uses the “Mr.SNIFFA” framework and targets e-commerce websites and their customers.

Malwarebytes‘ threat intelligence team has identified a Magecart skimmer that uses the mr.SNIFFA toolkit and targets e-commerce websites and their customers.

The discovered skimmer uses various obfuscation techniques as well as steganography to spread malicious codes and exfiltrate stolen credit card data. Usually, Magecart threat actors choose domain names according to third-party libraries or Google Analytics. However, in this case, the skimmer domain referred to public figures or names known in the cryptocurrency world.

Malwarebytes investigated the Skimmer’s infrastructure at Russia-based provider DDoS-Guard in more detail and came across a number of other malicious domains, as well as a kind of digital criminal haven for stolen credit card data, cryptocurrency fraud, Bitcoin mixers, and malware distribution sites. Technical details about Skimmer and its ecosystem are available in Malwarebytes’ latest report.

Crypto-Inspired Magecart Skimmer

The stolen credit card data is sent back to the attackers using the same special character encoding.

Magecart briefly explained

Magecart is a malware framework designed to steal credit card information from compromised eCommerce websites. It is used in criminal activities and is a sophisticated implant that builds on relays, command and control mechanisms, and anonymizers to steal credit card information from eCommerce customers. The first stage is usually implemented in Javascript embedded in a compromised checkout page. It copies data from "input fields" and sends it to a relay that collects credit cards from a subset of compromised e-commerce sites and forwards them to command-and-control servers.