{
	"id": "fe4fcebd-bd12-4554-952d-431c6a853057",
	"created_at": "2026-04-06T00:12:12.176199Z",
	"updated_at": "2026-04-10T13:12:04.134147Z",
	"deleted_at": null,
	"sha1_hash": "1062e14aacea30c6afa7aaeb91324b72be25c0c4",
	"title": "Technical Analysis: Magecart Skimmer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 955562,
	"plain_text": "Technical Analysis: Magecart Skimmer\r\nBy Louis Schürmann\r\nPublished: 2024-12-13 · Archived: 2026-04-05 18:16:00 UTC\r\nIntroduction\r\nDuring an inspection of a webshop, I discovered a credit card skimmer hidden within the site’s source code. This\r\nscript isn’t just clever — it’s dangerous. It injects a fake payment form, captures user input, and silently sends the\r\ndata to a remote server. Here’s how it works:\r\nHow the Skimmer Works\r\n1. Form Injection\r\nThe script starts by injecting a fake payment form into the checkout page. The injected form is dynamically\r\nconstructed and styled to blend seamlessly with the legit page elements. It uses DOM manipulation to find the\r\ncorrect insertion point, ensuring the form appears in the right context in this case during checkout.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 1 of 8\n\nTargeted Injection: The container variable identifies the DOM element where the form will be injected.\r\nThis ensures the fake form appears within the active payment method section.\r\nDynamic Creation: The wrapper element is dynamically created using document.createElement. It contains\r\na complete form structure, styled and organized to mimic legit payment forms.\r\nSeamless Integration: The appendChild method attaches the wrapper to the target container, effectively\r\nembedding the malicious form into the page.\r\nWithout Skimmer\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 2 of 8\n\nWith Skimmer\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 3 of 8\n\nRed marking added by me for clarification\r\nGet Louis Schürmann’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe only way to notice the skimmer is that after entering your credit card details, the legit form will open in a new\r\ntab, asking you to input your credit card information again — but by then, it’s already too late.\r\n2. Real-Time Data Capture\r\nThe script doesn’t wait for you to hit “Submit.” It grabs every keypress as you type, formatting the card number\r\ninto groups of four digits and identifying the card type in real-time.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 4 of 8\n\nSanitization: The processCardInput function removes all non-numeric characters using replace(/\\D/g, ‘’).\r\nThis ensures only valid card number digits are processed.\r\nLength Restriction: The slice(0, 16) method limits input to 16 digits, preventing users from entering invalid\r\nor unnecessary characters.\r\nFormatting: The match(/.{1,4}/g)?.join(“ “) regex groups digits into blocks of four, providing a familiar\r\nvisual format for credit card numbers.\r\nReal-Time Feedback: The input event listener updates the UI dynamically. The getCardType function\r\nidentifies the card type based on the number, and updateCardIcon displays the corresponding logo in the\r\nform.\r\n3. Exfil\r\nOnce the script has the data, it encodes it in Base64 and sends it off to a remote server. The transmission is\r\ndisguised as an image request, making it harder to detect in normal traffic monitoring.\r\nPress enter or click to view image in full size\r\nData Serialization: The JSON.stringify(phukr.umnmv) method converts the captured user data into a JSON\r\nstring for structured storage.\r\nEncoding: The phukr.rnnvr function encodes the data into Base64 format, adding an extra layer of\r\nobfuscation.\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 5 of 8\n\nStealth: The encoded data is appended to an image URL as a query parameter. This makes the request\r\nappear as a standard image load to network monitoring tools.\r\nIntegrity Checks: The phukr.abseg function ensures all required fields are populated before transmission,\r\nreducing the risk of incomplete data.\r\n4. Anti-Debugging\r\nThis script doesn’t want to be understood. If you try to inspect it using browser developer tools, it throws errors to\r\nstop you. But it didn’t stop me;)\r\nPress enter or click to view image in full size\r\nConsole Overrides: By replacing native console methods, the script prevents analysts from logging or\r\nanalyzing its execution.\r\nError Throwing: Any attempt to use these methods results in an error, disrupting debugging workflows and\r\nin some cases even crashing the browser.\r\n5. Adaptive Field Mapping\r\nThe script doesn’t care how the form fields are labeled. It maps input fields dynamically, using a predefined\r\nstructure to locate the right data on any site.\r\nPress enter or click to view image in full size\r\nThis flexibility makes it effective across multiple e-commerce platforms, regardless of how they’re built.\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 6 of 8\n\nField Iteration: The script loops through all input elements on the page using getElementsByTagName.\r\nDynamic Mapping: The phukr.shjva function maps each input field to its corresponding data attribute\r\nbased on predefined rules.\r\nDomain Logging: The script records the current domain using location.host, associating the captured data\r\nwith the compromised site.\r\n6. Persistence Through Local Storage\r\nTo ensure data isn’t lost during page reloads or connection interruptions, the script uses localStorage to store\r\ncaptured information temporarily.\r\nPress enter or click to view image in full size\r\nEven if something interrupts the exfiltration process, the stolen data is ready to be sent later.\r\nTemporary Storage: The localStorage.setItem method saves the encoded data locally, preserving it across\r\nsessions.\r\nRetry Mechanism: If the network connection is disrupted, the script can retransmit the data once\r\nconnectivity is restored.\r\nWhy It Matters\r\nThis skimmer is not an isolated example — it’s part of a broader trend in cybercrime, often linked to Magecart\r\noperations. Magecart is an umbrella term for groups specializing in injecting malicious scripts into e-commerce\r\nplatforms. These attacks exploit vulnerabilities in third-party code or weak points in the supply chain to\r\ncompromise websites and steal sensitive information.\r\nWhat’s particularly alarming about this type of skimmer is how it targets individuals, not just businesses. By\r\nfocusing on end-users, attackers bypass traditional enterprise defenses. Instead of attempting large-scale breaches,\r\nthey exploit the trust users place in seemingly secure payment forms. This tactic shifts the focus of cybercrime\r\nfrom large corporate targets to unsuspecting shoppers.\r\nExamples of similar threats include:\r\nDigital Skimming on High-Traffic Sites: Many Magecart campaigns have compromised major platforms\r\nlike Ticketmaster and British Airways, exposing millions of users to data theft.\r\nSupply Chain Exploits: Attackers often leverage vulnerabilities in third-party scripts, like analytics or\r\npayment processors, to inject malicious code downstream.\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 7 of 8\n\nCustom Skimmers: These scripts are increasingly tailored to specific platforms, making detection harder\r\nand mitigation more complex.\r\nThis attack is a reminder of the ongoing shift in cybercrime tactics. As threats evolve, the line between targeted\r\nattacks and mass exploitation blurs. Individuals bear the brunt of these threats, making personal vigilance and\r\nimproved web security essential to combat them. Stay safe:)\r\nIOC’s\r\ngstatis.co\r\n185.215.113.111\r\nSource: https://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nhttps://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@louis.o.schuermann/technical-analysis-magecart-skimmer-da099d897e38"
	],
	"report_names": [
		"technical-analysis-magecart-skimmer-da099d897e38"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434332,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1062e14aacea30c6afa7aaeb91324b72be25c0c4.pdf",
		"text": "https://archive.orkl.eu/1062e14aacea30c6afa7aaeb91324b72be25c0c4.txt",
		"img": "https://archive.orkl.eu/1062e14aacea30c6afa7aaeb91324b72be25c0c4.jpg"
	}
}