Analysis of a recent Magecart campaign
How does the web skimmer work?
“Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” - SanSec.
Search for the presence of the jquery.storageapi.min.js Skimmer on sites via URLscan here.
Search for the presence of the jquery.bah-hashchange.min.js Skimmer on sites via URLscan here.
Although this campaign was detected back in March 2020, the site remains online and is hosted with AS47510 [Crex Fex Pex ISS, RU]. Additionally it appears the JS Skimmer continues to be injected onto ecommerce site’s checkout pages:
Indicators of Compromise (IOCs):
My Previous Blog titled “Deep-dive: The Magecart Collective” can be found here.