Analysis of Meyhod JavaScript Web Skimmers


A new web skimmer, dubbed Meyhod, has been disclosed by RiskIQ. The malware (named after a typo in the code) appeared in October on several e-commerce sites, including the hair treatment company Bosley and the Chicago Architecture Center (CAC).

While investigating the attacker's domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and - due to the file names - potentially iCanvas or TFC:

Active compromise of

Skimmer 1: Identifier - sClass="yeikyd" - 'dovesfarm.js' (available here)

Skimmer 2: Identifier - sClass="frydbt" - 'icanvas.js' (available here)

Skimmer 3: Identifier - sClass="bfiyad" - 'tfc.js' (available here)

Skimmer 1 - Listener:

Skimmer 2 and 3 - Listener:

Skimmed Data:

RC4 encryption:

Data collected:

  • Credit Card Number, Card Holder Name, CVV, expiry day, month and year, billing address, company name, email address, phone number, and location details.

The skimmed data is encoded using custom functions before it is sent off to the attacker-owned server by an AJAX POST request.

As noted by RiskIQ, so far, the malware has not been attributed to any known Magecart group. None of its domain infrastructure, hosted with Alibaba, overlaps with other known groups.

Checking the host for the attacker's domain uncovered that it shared IPs with another underground fraud site called 'carderbazar[.]net' which was down at the time of writing:

My Previous Blog on the analysis of a campaign and a deep-dive into the Magecart Collective can be found here and here.

Indicators of Compromise (IOCs):







Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks