Cybersecurity researchers have unveiled a new digital skimmer campaign that utilizes Unicode obfuscation to hide a malicious tool known as the Mongolian Skimmer.
According to an analysis by Jscrambler, the skimmer’s script features unusual obfuscation through the use of accented Unicode characters, making it challenging for humans to decipher. The malware leverages JavaScript's ability to employ any Unicode character in identifiers, allowing it to mask its malicious functions.
The primary objective of the skimmer is to steal sensitive information, including financial details, entered on e-commerce checkout or admin pages. This data is then exfiltrated to a server controlled by the attackers.
Typically, the skimmer appears as an inline script on compromised websites, fetching its actual payload from an external source. To evade detection and analysis, it disables certain functions when a web browser’s developer tools are opened.
Jscrambler’s Pedro Fortuna noted that the skimmer employs a mix of modern and legacy event-handling techniques, ensuring compatibility across various browsers. Additionally, an unusual loader variant activates the skimmer script only when user interactions—like scrolling or mouse movements—are detected. This method serves as an anti-bot measure and helps avoid performance issues on the affected sites.
One compromised Magento site delivering the Mongolian skimmer has also been targeted by another skimmer group. Communication between the two actors revealed a collaborative arrangement, with discussions about sharing profits: "50/50 maybe?" one hacker proposed.
While the exact method of delivery for the skimmer malware remains unclear, it is believed that attackers are exploiting misconfigured or vulnerable Magento or Opencart instances to gain access. Fortuna commented that multiple victim websites may have been breached through various means, possibly due to poor configurations or exploited vulnerabilities.
He added, "The obfuscation techniques found on this skimmer may have appeared novel to the untrained eye, but they are actually based on older methods, making them just as easy to reverse."