Researchers at Jscrambler have uncovered a new skimming campaign dubbed the “Mongolian Skimmer.”
This malware, initially detected through intelligence shared by Sansec, distinguishes itself through its use of unusual Unicode characters to obfuscate JavaScript code.
Although at first glance, this may seem like a novel technique, Jscrambler’s experts quickly identified it as a straightforward tactic relying on JavaScript’s capability to use any Unicode character in variable and function names.
Obfuscation as a Disguise, Not a Defense
The Mongolian Skimmer’s obfuscation methods raised eyebrows due to its odd mix of accented characters, leading some to question whether it might be a new technique.
However, the was not the case, and it is easily unraveled by automated tools that simplify variable names. The researchers said this “potent” obfuscation can confuse human readers but really offers minimal resilience against automated reverse engineering methods.
By running the code through Jscrambler’s Code Integrity tool, they could quickly convert the characters to simpler, readable identifiers.
While examining the script, the Jscrambler team noticed an identifier that began with the hex code “E1A0A5,” representing the Unicode “Mongolian Letter OE.” This unusual choice inspired the nickname “Mongolian Skimmer” for the campaign.
The Anatomy of the Mongolian Skimmer
The skimmer itself follows a fairly common pattern, well-known to researchers:
- DOM Monitoring: The skimmer constantly monitors changes to input fields such as <input>, <select>, and <textarea>. By tracking these elements, it targets sensitive data such as personal and payment details.
- Data Exfiltration: Once on sensitive pages like “checkout” or “admin,” the malware collects and encodes data using Base64, then sends it to a remote server through a tracking pixel, a classic tactic in the skimming world.
- Developer Tools Detection: To avoid detection, the skimmer can identify when developer tools are open and adjust its behavior accordingly, which is likely an attempt to prevent analysis during debugging.
- Final Data Capture: Before users navigate away, the skimmer captures last-minute data entries using the beforeunload event to ensure no information is lost.
- Cross-Browser Compatibility: The malware ensures it can reach a broad audience by using both legacy and modern event-handling techniques, enabling it to operate across a wide range of browser versions.
- Anti-Debugging Techniques: The skimmer checks its own formatting using string conversions and regex to detect tampering, thereby making debugging more difficult.
Loader Variations in the Wild
Most instances of the Mongolian Skimmer were found in inline scripts on homepages, fetching the skimming code from an external source.
However, one example stood out for using a loader script embedded within the “Magento 2 Google Tag Manager” plugin by MageFan.
This loader only activates when it detects user interactions, such as scrolling or mouse movements, which cuts the chance of bot detection and limits the impact on page performance.
An Unusual Twist
In a particularly unusual twist, researchers discovered multiple skimming instances on a single compromised site. Jscrambler identified the Mongolian Skimmer as well as a different skimmer variant.
Even more surprising, the two bad actors appeared to be communicating through code comments, agreeing to share the profits. This bizarre “cyber chit-chat” highlights the shared vulnerabilities exploited by different malefactors in these attacks.
Old Tricks, New Targets
Ultimately, the Mongolian Skimmer demonstrates how malicious actors continually repurpose old techniques, masking their malicious intent with superficial changes to mislead and evade detection.
Despite the obscure Unicode characters, the underlying skimmer structure is all too familiar, capitalizing on misconfigured or vulnerable systems like Magento.
For entities and security teams, this new skimming threat spotlights the importance of robust defenses and regular updates to web security protocols.
By staying vigilant and deploying advanced security tools, companies can better detect and neutralize these increasingly sophisticated forms of digital theft.
For the full report on Jscrambler’s findings and additional details on the Mongolian Skimmer campaign, visit Jscrambler’s website.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.