New Cyber Threat: Mongolian Skimmer Campaign Revealed
Cybersecurity experts have recently uncovered a sophisticated digital skimmer campaign utilizing Unicode obfuscation techniques to deploy a skimmer known as “Mongolian Skimmer.” Researchers from Jscrambler noted that the obfuscated nature of the script raises eyebrows due to the extensive use of accented characters, rendering it exceedingly difficult for human analysts to interpret.
The Mongolian Skimmer exploits the capabilities of JavaScript, particularly its allowance for any Unicode character in identifiers, to mask its malicious operations. This makes the underlying code challenging to decipher and offers a layer of obscurity that can aid in avoiding detection.
The primary objective of this malware is to compromise sensitive data during e-commerce transactions. It targets information entered on checkout or administrative pages, specifically financial details, which are then transmitted to an attacker-controlled server. Typically, the skimmer injects an inline script into compromised websites, fetching its payload from external servers. To evade analytical scrutiny, the malware disables certain functions when a web browser’s developer tools are in use, further complicating debugging efforts.
Pedro Fortuna from Jscrambler pointed out that the skimmer employs both modern and legacy event-handling methods to ensure compatibility across varied web browsers. This tactic allows it to reach a broader user base, regardless of browser version. In addition, researchers observed an atypical loader variant that activates the skimmer script only when user interaction is detected, such as scrolling or mouse movements. This approach serves as both an effective anti-bot mechanism and a means to prevent performance degradation during user sessions.
Notably, one compromised Magento site associated with the Mongolian Skimmer has also been implicated in separate skimming operations, with evidence suggesting coordination between different threat actors. Conversations among these actors indicate a shared profit model, raising alarms about the collaborative nature of cybercriminal enterprises.
Attackers exploit vulnerabilities in improperly configured or flawed instances of platforms like Magento and Opencart to gain entry and deploy the skimmer. Although the exact delivery method of the skimmer malware remains unclear, the findings suggest a pattern of compromise through vulnerable components.
While the obfuscation techniques utilized by the Mongolian Skimmer may initially appear to be novel, Fortuna indicated they are largely based on older methods and, thus, are not immune to reverse engineering. This revelation underscores the ongoing need for vigilance in website security, particularly concerning e-commerce platforms where financial transactions occur.
As businesses continue to navigate the complexities of the digital landscape, staying informed about emerging threats such as the Mongolian Skimmer is crucial. Understanding the tactics and techniques outlined in the MITRE ATT&CK framework can further enhance security postures and preparedness against such sophisticated cyber threats.
