A new web skimmer, dubbed Meyhod, has been disclosed by RiskIQ. The malware (named after a typo in the code) appeared in October on several e-commerce sites, including the hair treatment company Bosley and the Chicago Architecture Center (CAC).
While investigating the attacker's domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and - due to the file names - potentially iCanvas or TFC:
Skimmer 2: Identifier - sClass="frydbt" - 'icanvas.js' (available here)
Skimmer 3: Identifier - sClass="bfiyad" - 'tfc.js' (available here)
Skimmer 1 - Listener:
Skimmer 2 and 3 - Listener:
Credit Card Number, Card Holder Name, CVV, expiry day, month and year, billing address, company name, email address, phone number, and location details.
The skimmed data is encoded using custom functions before it is sent off to the attacker-owned server by an AJAX POST request.
As noted by RiskIQ, so far, the malware has not been attributed to any known Magecart group. None of its domain infrastructure, hosted with Alibaba, overlaps with other known groups.
Checking the host for the attacker's domain uncovered that it shared IPs with another underground fraud site called 'carderbazar[.]net' which was down at the time of writing:
Indicators of Compromise (IOCs):