New Credit Card Skimming Campaign Uses Browser Extensions to Steal Financial Data

A newly discovered credit card skimming campaign, dubbed “RolandSkimmer,” is exploiting browser extensions to exfiltrate sensitive financial data.

This advanced malware has been observed targeting users primarily in Bulgaria and operates across popular web browsers, including Chrome, Edge, and Firefox.

The campaign leverages deceptive techniques to establish persistence, evade detection, and steal payment information.

Attack Methodology: From LNK Files to Browser Extensions

The infection begins with a malicious ZIP file named “faktura_3716804.zip,” which contains a shortcut file (“faktura_1065170.lnk”).

When executed, this LNK file runs obfuscated VBScript commands via the Windows utility mshta.exe.

The script establishes communication with a command-and-control (C2) server hosted at “invsetmx[.]com” and downloads additional payloads disguised as image files.

These payloads contain encoded scripts that execute commands directly without writing files to disk, enhancing stealth.

Once embedded, RolandSkimmer conducts extensive reconnaissance of the victim’s system, gathering details such as CPU specifications, memory size, operating system information, and browser configurations.

The malware specifically targets browser extensions by downloading XOR-encoded files categorized by browser type.

For Chrome and Edge users, these files are decoded using the key “andromeda” and saved locally as malicious components like manifest.json, background.js, and background2.js.

The malicious browser extensions are disguised under names like “Disable Content Security Policy,” claiming to bypass website protections.

These extensions request invasive permissions, such as intercepting network requests (declarativeNetRequest), manipulating browsing data (browsingData), controlling tabs (tabs), and storing local data (storage).

These permissions enable the malware to monitor user activity comprehensively and execute background scripts for data theft.

Data Exfiltration Techniques

RolandSkimmer actively monitors web pages for input fields containing sensitive payment information, such as credit card numbers.

According to Fortinet, it binds to form submission events and intercepts user input before submission.

Stolen data is sent to the C2 server via HTTPS requests with parameters specifying site identifiers, captured form data, and credit card numbers.

To ensure persistence, the attackers replace legitimate browser shortcuts with modified ones that load the malicious extensions.

For Edge users, the legitimate executable (msedge.exe) is copied into a concealed folder (%APPDATA%\Edge SxS), while Firefox users are targeted with preconfigured malicious profiles containing extensions like Tampermonkey.

Indicators of Compromise (IoCs)

Security researchers have identified several IoCs associated with this campaign:

Command-and-Control Servers

• invsetmx[.]com
• fzhivka-001-site1[.]btempurl.com
• exmkleo[.]com
• bg3dsec[.]com

Malicious Files

SHA256 Hashes
ZIP Files:

• 80e0aa05ffd973decf9b7f435c5a44574e4c8314c152c7a09e00c821828fe515

LNK Files:

• 86fedcd08d32eeff8a4caa9c2d4ae65b6cea89698570e8ce172a4e82c7f296f1

Scripts:

• 4a852420ca4a32d9ade0a50b8e24d6fc4886151c44477a62ee961ce880b1f8d2

The RolandSkimmer campaign highlights the increasing sophistication of credit card skimming attacks.

By exploiting legitimate system tools like LNK files and browser extensions, attackers achieve persistence while evading detection.

Organizations are advised to restrict unverified extensions, monitor unusual script activity, and educate users about phishing risks associated with unknown files.

Fortinet’s security solutions have detected and blocked this malware under classifications such as LNK/Agent.96F1!tr and JS/Agent.SOM!tr.

For comprehensive protection against such threats, organizations should implement robust antivirus services and maintain up-to-date security measures.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!