Cybersecurity researchers have shed light on a new digital skimmer campaign that uses Unicode obfuscation techniques to hide a skimmer called the Mongolian Skimmer.
“At first glance, what caught my eye was the obfuscation of the script, which seemed a bit odd because of all the accented characters,” Jscrambler researchers said in the analysis. “The heavy use of Unicode characters, many of them invisible, makes the code very difficult for humans to read.”
The script, at its core, was set to leverage JavaScript enabled use any Unicode character in the identifier to hide the malicious functionality.
The ultimate goal of the malware is to steal sensitive data entered on e-commerce checkout or admin pages, including financial information, which is then transmitted to a server controlled by the attacker.
The skimmer, which usually appears as an embedded script on hacked sites that receives the actual payload from an external server, also tries to avoid analysis and debugging by disabling certain features when a web browser developer tools open
“The skimmer uses well-known techniques to ensure cross-browser compatibility, using both modern and legacy event handling techniques,” said Jscrambler’s Pedro Fortuna. “This ensures that it can target a wide range of users, regardless of their browser version.”
The client-side security and compliance company said it also observed what it called an “unusual” variant of the loader that only loads the skimmer script when user interaction events such as scrolling, mouse movements and touch start are revealed.
This technique, it added, can serve as both an effective anti-bot measure and a way to ensure that loading the skimmer does not cause performance degradation.
One of the Magento sites hacked to deliver the Mongolian skimmer is said to have also been targeted individual skimmer actorwith two clusters of activities using source code comments to interact with each other and share profits.
“Maybe 50/50?”, one of the threat actors remarked on September 24, 2024. Three days later, another group replied: “I agree 50/50, you can add your code :)”
Then on September 30th, the first threat responded, saying, “Ok, how can I contact you? Do you have an exploit account? (sic),” likely referring to the Exploit cybercrime forum.
“The obfuscation techniques found on this skimmer might look to the untrained eye like a new obfuscation technique, but they are not,” Fortuna noted. “They used old methods to look more complicated, but they’re just as easy to change.”
