I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

1/17

- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

2/x

Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

3/x

Not surprisingly, most of that is a smoke screen, here's the deobfuscated skimmer loader. But wait, where in the world did that bulksuppchat[.]com (new domain as of ~6 days ago) URL come from? Answer: a span tag directly above the script tag.

4/x

Here's that span:

<span class="gray-hint bul-k-sup-pchat_c-om modernize css " style="display:none"></span>

Compare that to the code above and you can see how it was used to build the endpoint. Clever, no?

Here's both versions of the code and the span: gist.github.com/krautface/6f62…

In the deobfuscated code you can see the payload that is sent in. It provides the domain and the full URL you're on to the backend. Like other setups, if you're not on the checkout flow you get nothing malicious.

6/x

But if you're on a checkout URL you get the full payload, which contains the #magecart/skimmer code. It comes as a large base64 encoded string. You can also see two exfils that happen right away of form fields that just happen to be on that page.

7/x

After based64decoding that payload and prettifying it, you get this script. It's almost 840 lines long and there's a fair amount of minified and somewhat obfuscated code

8/x

gist.github.com/krautface/2c59…

Here is a copy I spent some time cleaning up. It's also executable in node now, with the addition of some libraries. Make sure to npm install atob and jsdom. Or just delete those first 19 lines.

9/x

gist.github.com/krautface/1bd0…

I'm not going to spend a ton of time on the code because I haven't reversed the whole thing and likely won't. Just going to point out a couple sections.

First, where I believe it builds its payload.

10/x

As far as I can tell, the FIELDS_FILTER and DEFAULT_TXT_FIELD values are something that could be passed in, but aren't, at least in the payload I was sent. That code also seems somewhat rudimentary. There are some skimmers that just grab all the form fields, but it can be a mess.

On exfil, it appears it "encrypts" the payload with an XOR. The string it uses is one of the ones at the very end of the code, what it refers to as the SPHASE variable.

12/x

Finally, what I think is the exfil code. Nothing too crazy here. It calls the XOR function above.

13/x

And that's all I'll highlight. Other stuff to look at, including the the big crc32 table that's included for whatever reason.

As mentioned above, the infrastructure involved is just the one domain so far: bulksuppchat[.]com

14/x

I've been unsuccessful with my limited attempts to tie that domain or anything else here to any known groups, so if you have any thoughts I'd be very curious to hear it.

15/x

Also, not trying to hide anything but I did obscure the affected store. If you have a need to see this live, DM me.

The method to stop this attack: CSP. The connect-src setting in CSPs governs what websockets can connect to. So review your CSPs!

16/x

Finally, I said I think it's still in development. It didn't seem to work all the time. I had troubles actually getting it to exfil payment info, but I also wasn't completing the order with proper payment info, so maybe it was waiting for the page to unload or something.

17/17