In the ever-evolving battlefield of cyber threats, it’s always the same game of cat and mouse. The latest entrant making waves among security analysts is the so-called Mongolian Skimmer — a new JavaScript-based skimming attack that, while not entirely novel in its techniques, stands out for a few peculiarities. Let’s dive into this campaign, dissect its tactics, and uncover why it’s both fascinating and ominous for those involved in online transactions. For more details, you can check out the original report on the Jscrambler blog.
What Exactly is the Mongolian Skimmer?
A few weeks ago, Jscrambler researchers stumbled upon this new skimming campaign during routine monitoring of threat intelligence sources. At first glance, it seemed to be leveraging a particularly arcane method of JavaScript obfuscation involving a barrage of accented Unicode characters. This immediately sparked curiosity among the research team and others observing: could it be a new obfuscation technique designed to evade traditional security tools?
However, upon further analysis, it turned out that the Mongolian Skimmer wasn’t wielding any new obfuscation tricks. Instead, it simply took advantage of the JavaScript language’s ability to use any Unicode character in variable names, as permitted by the ECMAScript standard. This campaign, while making its JavaScript payload harder for humans to read, wasn’t doing anything new under the hood. But don’t be fooled by its simplicity; skimming attacks like these continue to be a powerful weapon for cybercriminals targeting e-commerce platforms.
The name Mongolian Skimmer itself was inspired by the first variable used in the script: a strange hexadecimal value that translated to the Mongolian Letter OE Unicode character. This quirky detail led the researchers to a lighthearted yet ominous naming of this campaign.
Behind the Curtain: How the Mongolian Skimmer Operates
While the obfuscation turned out to be nothing groundbreaking, the Mongolian Skimmer campaign still presented a textbook example of how skimmers operate and how they exploit vulnerabilities in common platforms like Magento. You can read more about the official Magento Security Best Practices to understand how to safeguard your Magento-based e-commerce site. Below, we break down some of the key tactics used by this skimmer:
1. DOM Monitoring for User Input
The Mongolian Skimmer uses a script that constantly monitors changes in the DOM (Document Object Model). Specifically, it watches over HTML elements like <input>, <select>, and <textarea> — fields where users are most likely to input sensitive information like personal details or payment card data. Once a user interacts with these elements, the skimmer extracts critical information such as the field’s name or ID, and the actual value entered by the user.
2. Data Exfiltration
The collected data isn’t just left hanging. The skimmer first checks if the current webpage URL contains keywords like “checkout” or “admin,” which helps it identify pages that are likely handling sensitive information. The stolen data is then base64-encoded using the window.btoa() function and exfiltrated to a remote server. Interestingly, the exfiltration method involves the use of a tracking pixel, created via the JavaScript new Image() object, which ensures the data is transferred stealthily. This data exfiltration technique has been detailed by OWASP as a common method used by attackers to avoid detection.
3. Developer Tools Detection
In an effort to prevent analysis, the Mongolian Skimmer employs tactics to detect if browser developer tools are open. If these tools are detected, the skimmer modifies its behavior, possibly by disabling certain functions, in a bid to avoid detection or scrutiny. This kind of self-preserving behavior is becoming increasingly common in malicious scripts. For more information, see the Mozilla Developer Network (MDN) documentation on browser developer tools and their security implications.
4. Last-Minute Data Capture
The skimmer also ensures that no data is missed even when a user decides to leave the page. It utilizes the beforeunload event to capture any last-minute data entries before the webpage is closed or refreshed. This ensures that any final keystrokes before a user navigates away are also captured.
5. Cross-Browser Compatibility
The script has been crafted to work across a wide variety of browsers, employing both legacy and modern event-handling methods. This ensures that the skimmer can steal data from users regardless of their browser choice, significantly expanding the reach of the attack.
6. Anti-Debugging Techniques
The skimmer script also uses classic anti-debugging techniques by checking its own formatting through string conversion and regex tests. These tests are intended to detect code beautification, which is often used by analysts trying to make obfuscated JavaScript readable.
An Unusual Loader Variant: The Magento Twist
While investigating various instances of the Mongolian Skimmer, the researchers discovered that most instances relied on inline scripts. However, they found a particularly interesting loader variant attached to the Magento plugin “Magento 2 Google Tag Manager” developed by MageFan. This loader script, designed to trigger based on user interactions like scrolling, mouse movement, or a touchstart event, was essentially a gatekeeper — deciding whether or not the skimmer script should be loaded. This had the added benefit of bypassing bot detectors and maintaining page load speed.
Cybercriminals Communicating in Comments
One of the more intriguing finds during the analysis was evidence of communication between multiple skimming actors within the compromised Magento site. The researchers identified code comments in which two separate threat actors were negotiating profit splits. This was a true “cybercriminal chatroom” embedded in the JavaScript code of the skimmer itself. Here’s a snapshot of their exchange:
- 24/09/2024:
<!-- 50/50 maybe? --> - 27/09/2024:
<!-- I agree 50/50, you can add your code :) --> - 30/09/2024:
<!-- Alright ) so how can I contact you though? U have acc on exploit? -->
This sort of casual communication is an alarming yet fascinating glimpse into the organized, and sometimes surprisingly cooperative, underworld of cybercrime.
A Common Skimming Approach with a Unique Spin
The Mongolian Skimmer, although unique in name and the use of certain obfuscation quirks, doesn’t represent a revolution in skimming tactics. Instead, it showcases how familiar, off-the-shelf techniques can be slightly altered to create something that flies under the radar — at least for a while. Jscrambler researchers quickly unraveled the script, noting that even though the obfuscation looked complex, it was easily reversed using available JavaScript transforming tools to simplify the code.
The use of Unicode obfuscation, especially with Mongolian characters, adds a layer of perceived novelty, but at its core, the skimmer was operating like many others: taking advantage of poorly protected e-commerce systems, in this case, Magento installations.
Indicators of Compromise (IOCs)
During their analysis, the researchers also identified several Indicators of Compromise (IOCs) associated with the Mongolian Skimmer. These include domain names and IP addresses used for exfiltrating stolen data. For an in-depth look at identifying IOCs, consult CISA’s guidelines on indicators of compromise:
common.gifcache.com(IP: 191.96.56.171)cache.cdn-core.com(IP: 198.187.29.127)widget.statictool.com(IP: 82.197.83.18)stat.mystatpal.com(IP: 82.197.83.29)seomgr.com(IP: 62.72.7.8)
If you’re managing an e-commerce platform, monitoring your systems for communication with these domains or IP addresses is critical for early detection and response.
How Can Businesses Protect Themselves?
The Mongolian Skimmer may not be a technological leap forward, but it serves as a critical reminder for e-commerce operators about the importance of security hygiene and proactive monitoring. Here are some recommended measures to protect against skimming attacks:
- Implement Content Security Policies (CSPs): Content Security Policies (CSPs) can help prevent unauthorized scripts from loading on your site. You can learn more about implementing CSPs by visiting the Mozilla Developer Network (MDN) guide on Content Security Policy.
- Regular JavaScript Security Audits: Since skimmers operate primarily through JavaScript, frequent audits using tools like Jscrambler’s Code Integrity product can reveal malicious scripts.
- Monitor for Indicators of Compromise: Keep an eye on outgoing traffic, especially communication with suspicious domains, as this could indicate skimming activity.
- Stay Updated: Many skimming attacks target known vulnerabilities in CMS platforms like Magento. Ensure all plugins and core components are updated regularly.
FAQs
What is the Mongolian Skimmer?
The Mongolian Skimmer is a JavaScript-based skimming campaign that steals sensitive user information from compromised websites, particularly targeting input fields on e-commerce sites.
How does the Mongolian Skimmer operate?
The skimmer monitors changes in web page input elements, exfiltrates data via base64 encoding, detects if developer tools are open, and takes measures to evade detection.
What makes this skimming campaign unique?
Its uniqueness lies in its use of Unicode characters in obfuscation and the bizarre instance where two cybercriminals communicated via comments in the source code, showcasing the collaborative nature of some cyberattacks.
How can businesses protect themselves against skimmers?
Businesses can implement CSPs, conduct regular JavaScript security audits, monitor for IOCs, and keep all their web technologies updated to protect against skimming attacks.
Conclusion: Lessons from the Mongolian Skimmer
The Mongolian Skimmer is an intriguing example of the evolving world of client-side cyberattacks. Despite the appearance of complexity, the campaign relies on well-known JavaScript features and classic skimming tactics. Its effectiveness, like many skimming campaigns, relies on exploiting common vulnerabilities in website security — something that remains all too familiar in the e-commerce space.
The takeaway for cybersecurity professionals and online businesses is clear: prioritize robust security measures, stay updated, and never underestimate the ingenuity of threat actors
