Introduction

Cybersecurity researchers have uncovered a sophisticated digital skimmer campaign [6] [7], dubbed the Mongolian Skimmer [1] [2] [3] [4] [5] [6] [7] [8] [9], which utilizes advanced Unicode obfuscation techniques to hide its malicious scripts and identity. This campaign is notable for its use of accented and largely invisible Unicode characters, complicating code analysis and evading traditional security measures.

Description

Cybersecurity researchers have identified a sophisticated digital skimmer campaign known as the Mongolian Skimmer [7], which employs advanced Unicode obfuscation techniques to conceal its malicious scripts and identity. This campaign is characterized by the extensive use of accented characters and largely invisible Unicode characters, which significantly contribute to its obfuscation and complicate code analysis. The presence of complex strings and these invisible characters makes the code difficult for humans to read. By leveraging these obfuscation methods, the skimmer effectively obscures its malicious intent and evades traditional security measures, allowing it to operate undetected.

The primary objective of the Mongolian Skimmer is to capture sensitive financial information [2], including credit card details and personal identification data [7], entered during e-commerce checkout processes or on admin pages. This data is subsequently exfiltrated to attacker-controlled servers [5]. The skimmer typically manifests as an inline script on compromised websites [5], monitoring the Document Object Model (DOM) for changes in input fields, which are the primary targets for sensitive information collection. It fetches its payload from external servers to maintain stealth and implements common skimming techniques, such as monitoring form inputs, particularly payment fields, and utilizing encoded tracking pixels for data exfiltration.

To evade detection [1] [7] [9], the skimmer incorporates anti-debugging measures that disable certain functions when a web browser’s developer tools are activated [2]. It also verifies the URL of the page to identify keywords like “checkout” or “admin,” ensuring it targets the most relevant pages for data capture. A notable variant of the skimmer activates only upon user interaction events [5], such as scrolling or mouse movements [5] [7] [9], which serves as an anti-bot measure [5], minimizes performance impact [5] [9], and avoids detection by automated bots. This approach reflects the attackers’ efforts to make their operations more subtle and difficult to detect. The skimmer captures final data entries using the beforeunload event and ensures compatibility across various browsers by employing both modern and legacy event-handling techniques.

Despite the obfuscation methods employed, the underlying code remains typical of skimmer malware often found in vulnerable or misconfigured Magento installations [9], making it relatively easy to reverse-engineer. The obfuscation was analyzed using Jscrambler’s Code Integrity product [4], which renamed identifiers to simpler names [4], revealing the hidden skimmer embedded within the code [4]. This evolution in cybercriminal tactics underscores the need for enhanced security measures on e-commerce platforms and increased consumer vigilance against such threats [7]. As cybercriminals continuously refine their methods [1], understanding techniques like Unicode obfuscation becomes essential for protecting personal and financial information [1]. Additionally, communication between different threat actors has been observed [5], with some groups collaborating through code comments to exploit vulnerabilities and share proceeds, further complicating the cybersecurity landscape. Users are advised to keep their content management systems, such as Magento [8], updated to the latest releases to mitigate these risks.

Conclusion

The Mongolian Skimmer campaign highlights the evolving tactics of cybercriminals, emphasizing the need for robust security measures on e-commerce platforms [7]. As attackers refine their methods, understanding and countering techniques like Unicode obfuscation become crucial. Enhanced vigilance and regular updates to content management systems, such as Magento [8], are essential to mitigate these risks. The collaboration among threat actors further complicates the cybersecurity landscape, necessitating continuous adaptation and awareness to protect sensitive personal and financial information.

References

[1] https://krofeksecurity.com/cybercriminal-tactics-unicode-mongolian-skimmer-ecommerce/
[2] https://thehackernews.com/2024/10/cybercriminals-use-unicode-to-hide.html
[3] https://www.linkedin.com/posts/wdevault_cybercriminals-use-unicode-to-hide-mongolian-activity-7250053148302581762-Bgd0
[4] https://jscrambler.com/blog/the-mongolian-skimmer
[5] https://ezitech.org/blogs/cybercriminals-hide-mongolian-skimmer-on-e-commerce-platforms-using-unicode/
[6] https://news.backbox.org/2024/10/10/cybercriminals-use-unicode-to-hide-mongolian-skimmer-in-e-commerce-platforms/
[7] https://cybermaterial.com/hackers-use-unicode-to-conceal-skimmer/
[8] https://thecyberwire.com/podcasts/daily-podcast/2167/transcript
[9] https://securityaffairs.com/169632/malware/skimming-campaign-mongolian-skimmer.html