Monday, May 12, 2025
HomeMalwareHackers using New Evasion Techniques in Web Skimmers To Bypass the Detection...

Hackers using New Evasion Techniques in Web Skimmers To Bypass the Detection & Steal Credit Card Data

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new evasion technique used by attackers in client-side web skimmer to bypass their conceal their fraudulent activity.

Recently, a security researcher revealed a steganography-based credit card skimmer in which they found that the attackers uploads or modifies an existing image and appends the JS code.

With this Steganography technique, attackers hiding malicious code inside of the picture files, and it is a great way to go undetected the malformed files, and it has mainly used to target the eCommerce sites.

- Advertisement - Google News
Web Skimmer

There is one chance to figure out the file whether it is malformed are not is by analysing the additional data found at the end of the normal file.

Skimmers Found in Steganographic Images

Researchers from Malwarebytes analyzed the sample malformed steganographic image in a hex editor, and find the extra data was added after the final segment.

Web Skimmer

By analyzing the strings such as onestepcheckout or authorizenet, research confirmed that this is the credit-card skimming code.

According to Malwarebyte’s research, All compromised sites we found using a steganographic skimmer were injected with similar code snippets (typically after the footer element or Google Tag Manager) to load the fake image and parse its JavaScript content via the slice() method.

There are several following artifacts researchers observed from the web skimmer.

  • Skimmer code injected directly into a compromised site (JavaScript in the DOM)
  • Skimmer code loaded from an external resource (script tag with src attribute)
  • Exfiltration of the stolen data (HTTP GET or HTTP POST requests with encoded data)

Attackers cleverly using a WebSocket, a communication protocol to conceal a connection to a server controlled by the criminals over a WebSocket.

Once the malicious Javascript code runs in the browser, it triggers the client handshake request and a series of bidirectional messages will be exchanged between the client (victim’s browser) and server (malicious host).

Later a Javascript code turns into the credit card skimming code and it performs exfiltration attempts with the help of WebSockets from the form fields present on the checkout page.

Web Skimmer
The WebSocket messages, downloading the skimmer and then leaking CC data

“The techniques give headaches for defenders and give some threat actors additional time to carry on their activities without being disturbed. But as mentioned before, this kind of cat-and-mouse game was to be expected in the light of regular new publications on Magecart and web skimmer.” Malwarebytes said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...