![]() The ' eval' portion of the code is a clear giveaway that the random looking string is being processed dynamically to return some instructions. We notice a large blurb of code that contains some static elements and others that are uniquely generated. That URL in turn, loads the skimmer within the payment checkout process. The attack relies on 2 steps: the first one is code injected inside the website's source that calls out a remote URL. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores. Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. The latter tends to be quite time consuming, but the former can often problematic if the malware author adds anti-debugging routines. ![]() Defenders typically have the choice to either rely on the browser's debugger and step through the code, or can statically try to reverse it. ![]() In the case of credit card skimmers in client-side attacks, obfuscators are a common occurrence as they can make code identification more difficult. On their own, these tools are not always malicious as they can also be be used by companies or individuals who wish to keep their work safe from piracy, but overall they tend to be largely abused. Threat actors are notorious for trying to hide their code in various ways, from binary packers to obfuscators. ![]()
0 Comments
Leave a Reply. |