According to researchers at Malwarebytes, a new Magecart credit card skimmer has been circulating that is designed to avoid virtual machines and sandboxes. The skimmer, unlike most Magecart skimmers, includes an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure the browser is not running on a virtual machine (VM) or sandbox. In this campaign, threat actors use the WebGL JavaScript API to identify the graphics renderer of the machine the actor is targeting to return its name, which gives the skimmer the information it needs to discern whether a VM is present or not. If the targeted machine passes the check, the skimmer then extracts personal data in a typical way for such campaigns, scraping a number of fields including the customer’s name, address, email, and phone number as well as their credit card data. The skimmer also collects any password used for online stores on which the person has registered an account, the browser’s user agent, and a unique user ID. It then encodes the data and sends it to the same site hosting the skimmer using a single POST request
Analyst Notes
One way for consumers to protect online purchases is to use virtual credit cards. By doing this, cardholders can generate a unique, one-time use credit card number to use for each purchase. When a consumer purchases something online and the virtual card number gets skimmed, the attacker does not receive the actual card number, and they will be unable to use the virtual number for any fraudulent purchases. This will save the user the hassle of canceling a credit card and getting a new one shipped to them. Consumers can also consider using different credit cards for online shopping, shopping in stores, and recurring payments. If one card is compromised, it is easy to switch to using another card until the bank issues a replacement for the compromised card. Researchers have released information about the attack that can help anyone identify if they have been a victim of this attack. This information can be found here: https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/.
Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar
