Polymorphic Magecart skimmer capable of attacking 57 payment systems uncovered

Researchers have described it as "the most advanced payments skimmer to date", tracing it back to Ukraine

Security researchers have discovered a new polymorphic Magecart skimmer that supports 57 different payment gateways worldwide.

According to Sanguine Security, the skimmer has a "global reach" and has been described by the security specialists as "the most advanced skimmer to date". It consists of a polymorphic loader and sophisticated exfiltration mechanism that "supports dozens of payment gateways".

In a blog post, the firm warned: "The skimmer uses jqueres.com as bootloader and exfiltration server. The domain points to a Ukraine-registered server. The loader has been injected into dozens of stores, with Puma Australia being the latest case."

Whenever a new attack pattern emerges, it usually takes six to 12 hours before stores across the globe are getting exploited

What makes this skimmer particularly dangerous is that it not only supports major payment gateways, such as Stripe, but also local payments systems.

"Effectively, this skimmer can be injected in various checkout pages and not require manual modification by the perpetrator," warned the researchers.

The most popular gateways identified are:

• Adyen (NL)
• Stripe (US)
• Pin Payments (AU)
• eWAY Rapid (AU)
• Heidelpay (DE)
• Generic CC payment
• Fat Zebra (AU)
• Radweb (UK)
• Braintree (US)
• Pagar.me (BR)
• Cryozonic Stripe (UK)
• Cartoes (ES)
• Authorize.Net (US)
• Cielo (BR)
• Secure Trading (UK)
• Paymetric (US)
• Moip (US)
• Ebanx (BR, MX)
• MundiPagg (BR)
• PagSeguro (BR)
• Payment Express (AU)

To avoid the code being located and cracked, the skimmer uses what the security specialists claim is polymorphic code. Sanguine continued: "The Jqueres loader contains redundant decoy words, such as selectDuration, pickFooter, optEmbed.

"However, a global search for the structure of this code (instead of the actual object names) yields dozens of similar cases."

The researchers went on to say they contain plausible but completely made-up keywords. Examples include:

• googleLabel
• updMsg
• propVersion
• cachefooter
• sortproc
• subCatalog
• sumMenu
• onClipboard
• optViewport
• targetscope
• appendtooltip
• setupScreen
• strictheight
• hashProcedure

They continued: "Nevertheless, in all cases the loader tests for "checkout" in the current adddress and injects an extra script source for jqueres.com/js/lib/jquery-1.10.2.min.js. Given a whitelisted referrer, this address serves the exfiltration code. Otherwise, an innocuous decoy is served."

Sanguine believes that the sophistication of this method "demonstrates the automated workflow of skimmers" and suggests that cyber crime groups are working collaboratively.

The researchers continued: "There is no way that a single person could study all of these localised payment systems in such detail."

They added: "New attack methods are literally discovered every week. Whenever a new attack pattern emerges, it usually takes six to 12 hours before stores across the globe are getting exploited. Because the timeframe is so small, you need an automated solution to identify and prevent attacks."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.