Security News > 2021 > November > Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar

A new Magecart threat actor is stealing people's payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines so it targets only actual victims and not security researchers.

Detecting VMs used by security researchers and sandboxing solutions that are set to pick up Magecart activity is "The most popular method" used to evade detection, Segura said.

Specifically, the skimmer checks for the presence of the words swiftshader, llvmpipe and virtualbox because of the VMs different browsers use, he said.

If the targeted machine passes the check, the skimmer then extracts personal data in a typical way for such campaigns, scraping a number of fields including the customer's name, address, email and phone number as well as their credit-card data.

The skimmer also collects any password used for online stores on which the person has registered an account, the browser's user-agent and a unique user ID. It then encodes the data and sends it to the same site hosting the skimmer using a single POST request, Segura wrote.

Malwarebytes has included the skimmer code as well as a comprehensive list of indicators of compromise in its post to help people avoid being targeted and compromised by the campaign.

News URL

https://threatpost.com/magecart-credit-card-skimmer-avoids-vms-to-fly-under-the-radar/175993/