Online Criminals Utilize Unicode to Conceal Mongolian Skimmer in Digital Commerce Platforms
Digital security researchers have uncovered a freshly discovered skimmer campaign that uses Unicode concealment tactics to hide a skimmer called Mongolian Skimmer.
“Upon initial examination, the standout feature was the obfuscation of the script, which appeared peculiar due to the inclusion of various accented characters,” stated Jscrambler analysts according to an analysis. “The extensive application of Unicode characters, many of them unseen, indeed makes the code extremely challenging for humans to decipher.”
The underlying script has been identified as making use of JavaScript’s ability to incorporate any Unicode character in identifiers to mask the malevolent behaviors.
The primary objective of this malware is to seize confidential information inputted on e-commerce checkout or admin pages, such as financial details, and then send them surreptitiously to a server under the hackers’ control.
Additionally, the skimmer, usually appearing as an inline script on compromised websites that fetches the genuine payload from an external server, endeavors to avoid detection and debugging attempts by deactivating specific functions when a web browser’s developer tools are launched.
“The skimmer employs well-known strategies to ensure consistency across diverse browsers by utilizing both contemporary and outdated event-handling procedures,” mentioned Jscrambler’s Pedro Fortuna. “This approach ensures its reach extends to a broad spectrum of users, irrespective of their browser version.”
The company specializing in client-side defense and compliance also pointed out an “abnormal” loader variant that loads the skimmer script exclusively when instances of user interaction events like scrolling, mouse movements, and touchstart are detected.
This method, the company noted, could act both as a potent anti-bot measure and as a strategy to ensure the skimmer’s loading does not lead to performance impediments.
Reports suggest that one of the Magento sites compromised to disseminate the Mongolian skimmer had also been targeted by a distinct skimmer actor, where the two clusters of activity employed source code comments to communicate and split the gains between them.
“50/50 maybe?,” remarked one of the threat actors on September 24, 2024. Three days later, the other group responded: “I agree 50/50, you can add your code :)”
Then, on September 30, the first threat actor replied, stating “Alright ) so how can I contact you though? U have acc on exploit? [sic],” likely alluding to the Exploit cybercrime forum.
“The obfuscation techniques found in this skimmer may have appeared like a novel obfuscation method to the untrained eye, but that wasn’t the case,” observed Fortuna. “It employed old tactics to create the impression of increased obfuscation, yet they are just as easily reversible.”
About Author
