Researchers studying cybersecurity have revealed the existence of a new digital skimmer campaign called Mongolian Skimmer, which uses Unicode obfuscation techniques to hide its identity.
“At first glance, the thing that stood out was the script’s obfuscation, which seemed a bit bizarre because of all the accented characters,” Jscrambler researchers said in an analysis. “The heavy use of Unicode characters, many of them invisible, does make the code very hard to read for humans.”
Fundamentally, it has been discovered that the script hides the dangerous functionality by making use of JavaScript’s ability to utilise any Unicode character in identifiers.
The malware’s ultimate objective is to obtain sensitive information entered on admin or checkout pages for e-commerce, including financial data, which is subsequently exfiltrated to a server under the control of the attacker.
The skimmer also tries to elude analysis and debugging efforts by blocking specific functions when a web browser’s developer tools are accessed. Typically, it appears as an inline script on hacked sites that gets the actual payload from an external server.
“The skimmer uses well-known techniques to ensure compatibility across different browsers by employing both modern and legacy event-handling techniques,” Jscrambler’s Pedro Fortuna said. “This guarantees it can target a wide range of users, regardless of their browser version.”
A “unusual” loader variant that loads the skimmer script only when user interaction events like scrolling, mouse movements, and touchstart are detected was also noticed by the client-side protection and compliance provider.
It further said that this method might be used to make sure that the skimmer’s loading isn’t creating performance bottlenecks in addition to acting as an efficient anti-bot defence.
A different Skimmer actor is reported to have targeted one of the Magento sites that was hijacked to deploy the Mongolian Skimmer, and the two activity clusters used source code comments to communicate and split the proceeds.
“50/50 maybe?” remarked one of the threat actors on September 24, 2024. Three days later, the other group responded, “I agree 50/50; you can add your code.”
The first threat actor then responded on September 30 by saying, “Okay, so how can I reach you though? You own an exploit account? [sic],” most likely alluding to the forum about exploitative cybercrime.
Although the exact method of delivering the skimmer malware to the target websites is unknown at this time, it is thought that the attackers are focussing on Magento or Opencart instances that are vulnerable or misconfigured.
“We have multiple victim websites, which might have been breached using different methods,” Fortuna told The Hacker News. “We don’t know exactly how they got there and were able to inject the web skimmer, but all signs point to compromised Magento or Opencart instances, either because they were poorly configured or because they had vulnerable components that the attackers exploited to get in.”
“The obfuscation techniques found on this skimmer may have looked to the untrained eye as a new obfuscation method, but that was not the case,” Fortuna noted. “It used old techniques to appear more obfuscated, but they are just as easy to reverse.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.