Magecart steals credit information while bypassing detection

Threat actors behind Magecart credit card skimmer use browser script to evade the sandbox detection and malware researchers

Credit card skimmer evades detectionMalware has evolved to avoid virtual machines and researchers

The new campaign helps threat actors to avoid virtual machines, so criminals can access personal and credit card information.[1] Researchers reveal that the new campaign of the known stealer Magecart now uses the browser script that helps evade the virtual machine, sandbox, or researcher detection.[2] This is the malware that targets various machines for personal data and credentials that are valuable to steal.

By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.

Malwarebytes[3] tea reported that the newest campaign has extra features and unique functions to ensure the activity of the stealer cannot be noticed by security researchers. Using the browser script enables cybercriminals to aim only for real victims, not researchers who are using virtual machines. This way, Magecart attack runs undetected and can steal various details from victims' machines.

Magecart is the term used to describe the widely spread and known attacks that target various organizations, payment systems. Threat groups behind these attacks can aim to exploit security flaws on e-commerce systems and target particular enterprises or businesses.[4]

Threat actors use JavaScript code to exfiltrate details

The new campaigns related to browser processes use the cybercriminals reveal additional features helping this campaign get more successful. In most cases, threat actors behind these Magecart attacks reside in Russia and use the JavaScript code to inject various sites to exfiltrate customers' personal information when they check out online shopping.

The particular WebGL JavaScript API is used to check the targeted users' machines, so virtual machines do not get affected. With this check, actors can exclude any sandboxes used by researchers and skimmers only target real victims.

The Magecart breaches are difficult to detect in the first place, so many e-commerce companies and other organizations suffer from attacks without noticing. Servers get compromised by malicious actors, and hackers can run persistent week or month-long attacks stealing credentials without causing any suspicion. The researchers discovered this when the particular domain was analyzed.

The most popular method for evading detection

Finding the VMs used to catch the malware distributors before delivering malicious campaigns is a great bypassing technique. It is a popular method used to avoid getting activities detected. However, web-based threats do not do so often. Threat actors like this usually filter targets based on the location or user-agent strings. Criminals shift their methods commonly, and it is not new, but advanced changes and improvements mean that these activities can run undetected, so researchers need to adapt and improve their methods as well.

This credit card skimmer[5] collects various information that can be used later on. It is used to exfiltrate personal data by stealing details from the fields where customers fill their names, addresses, emails, phone numbers, and credit card details. Passwords used for online stores can also get stolen.

These details can be stored on particular hosts and used to infiltrate other sites or directly steal funds from the accounts attackers manage to hack. Such attacks have been on the rise since 2019, when researchers noticed malvertising and fraud campaigns related to Magecart attacks.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions