Latest Phishing Surge Exploits GitHub, Telegram Bots, and QR Codes
"The first thing we noticed was that the script was super jumbled with a bunch of accented characters that just looked weird," the folks at Jscrambler said when they checked it out. "They're using these sneaky Unicode characters that you can't even see to make the code impossible for regular people to read."
So, what's this nasty script all about? It's a clever little trick that takes advantage of JavaScript letting you use any character you want in names and stuff. The whole idea is to hide what it's really doing, which is basically stealing your juicy info, like credit card numbers and whatnot, when you're checking out at online shops or fiddling around on admin pages.
This skimmer is a sneaky bugger, too. It shows up on websites that have been hacked and gets the job done no matter what browser you're using. It even has a cool feature where it doesn't do anything if you're just looking at the code without interacting with the page. That's some ninja-level dodging right there.
Pedro Fortuna, who's a part of the Jscrambler team, pointed out that the skimmer is like a chameleon with its event handling. "It uses all sorts of new and old tricks to work on different browsers," he said. "This way, it can go after pretty much everyone, no matter what they're using to surf the web."
And get this, they found a version that only wakes up when you're actually moving around the page, like scrolling or waving your mouse like you're conducting an invisible orchestra. This keeps the skimmer under the radar of bots and makes sure it doesn't slow down the site for you.
One website using Magento had the bad luck of being hit by not one, but two different groups of skimmers. They were playing nice, though—leaving each other messages in the code like, "Hey, we'll split the loot 50/50, cool?" and "Alright, just let me know where I can find you to talk shop!"
But don't be fooled by all the fancy hiding stuff. Fortuna said it's not as complex as it looks and that they can totally crack it open. It's like they're using old school tricks to make it seem more high-tech than it really is.
They're not sure how these skimmers got on the websites, but they've got a hunch it's because of some security oopsies in Magento or Opencart. "We've seen this happen on a few different sites, so it's probably a mix of easy-to-find flaws or someone just not setting things up right," Fortuna told The Hacker News. "We're still looking into it, but it seems like these e-commerce platforms are their favorite playgrounds."