Cybersecurity researchers have uncovered a new digital skimmer campaign that uses Unicode obscuring techniques to hide the Mongolian Skimmer. The malware uses Unicode characters in identifiers to conceal its malicious functionality. The main goal of the Mongolian Skimmer is to steal sensitive data entered on e-commerce checkout or admin pages, including financial information.
The stolen data is then sent to a server controlled by the attacker. The skimmer usually appears as an inline script on compromised websites. It fetches the actual payload from an external server.
The malware also tries to avoid analysis and debugging efforts by disabling certain functions when a web browser’s developer tools are opened. Pedro Fortuna from Jscrambler said, “The skimmer uses well-known techniques to ensure compatibility across different browsers by employing modern and legacy event-handling techniques. This guarantees it can target a wide range of users, regardless of their browser version.”
Jscrambler also found an unusual loader variant that only activates the skimmer script when user interaction events, such as scrolling and mouse movements, are detected.
This technique could help avoid bot detection and ensure the skimmer does not cause performance issues.
Unicode hides malicious skimmer script
Among the compromised sites delivering the Mongolian skimmer is a notable Magento site.
Two separate groups of attackers apparently targeted the site. They communicated with each other through source code comments and agreed to split the profits. The exact way the skimmer malware is delivered to target websites is unclear.
However, researchers believe attackers focus on misconfigured or vulnerable Magento or Opencart instances. Fortuna said, “We have multiple victim websites, which might have been breached using different methods. We don’t know how they got there and could inject the web skimmer. Still, all signs point to compromised Magento or Opencart instances, either because they were poorly configured or had vulnerable components the attackers exploited to get in.
Fortuna noted that the obfuscation techniques used by this skimmer are not new.
He said, “The obfuscation techniques found on this skimmer may have seemed like a new method, but that was not the case. It used old techniques to appear more obfuscated, but they are just as easy to reverse.”
This latest campaign shows that cybercriminals are becoming more sophisticated and continue to threaten e-commerce platforms. Website owners are advised to ensure their systems are properly configured and up-to-date to avoid falling victim to such attacks.
