{ "id": "585ad250-97a7-4797-b223-b097b1aa7384", "created_at": "2026-04-06T00:10:19.980564Z", "updated_at": "2026-04-10T03:38:09.775182Z", "deleted_at": null, "sha1_hash": "cd3666f75e63d2dfdd7f1d027d303a6507692bb8", "title": "Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2042590, "plain_text": "Black Friday Alert : 4 Emerging Skimming Attacks | Zscaler\r\nBy Sudeep Singh\r\nPublished: 2022-11-21 · Archived: 2026-04-05 13:03:39 UTC\r\nSummary\r\nAt Zscaler ThreatLabz, we have been closely monitoring web threats such as payment card skimming attacks\r\nagainst e-commerce stores. Starting in July 2022, we have observed an increase in such activity targeted against\r\nMagento and Presta Shop e-commerce stores.\r\nWith Black Friday and the holiday season approaching, it is expected that there will be an increase in online\r\nshopping activity among users as they rush to take advantage of various discount offers. These holiday shopping\r\ntrends make skimming attacks even more lucrative for threat actors as they can increase their success rate of\r\nstealing payment card details of victims.\r\nIn this blog, we will share details of 4 groups of skimming attacks that have very little to no documentation in the\r\npublic domain. Most of the indicators related to these attacks have no detection by security vendors. We have\r\nshared the complete list of IOCs.\r\nBased on our observation, e-commerce stores in the US, UK, Australia, and Canada were primarily targeted by\r\nthese threat actors. Most of the attacks we observed have a shelf life of more than 1 month.\r\nKey points\r\nPayment card skimming attacks continue to pose a prevalent threat to e-commerce stores.\r\n \r\nMagento and Presta-based e-commerce stores in US, UK, Australia and Canada were primarily targeted\r\nsince July 2022\r\n \r\nThese skimming campaigns have a long shelf life and manage to keep their malicious activities under the\r\nradar for several months.\r\n \r\nNew variants of skimming attacks rely on heavy use of JavaScript obfuscation which makes detection more\r\ndifficult.\r\n \r\nAn increase in web-based threats such as CC skimming around the holiday season can be expected since\r\nthreat actors prey on unsuspecting shoppers' increased activity during this time.\r\nTechnical analysis\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 1 of 12\n\nGroup 1\r\nIn August and September 2022, we observed a new CC skimmer in-the-wild in low-volume attacks against\r\nMagento e-commerce websites. The JavaScript skimmer code was hosted on attacker-registered domains and the\r\nlink to these skimmers was injected in the compromised e-commerce sites.\r\nWe identified 2 unique domains used in this attack by the threat actor. Interestingly, both these domains would\r\nredirect the user to the legit nodeJS website when accessed directly. It is worth noting that both these domains\r\nhave very little to no detection on VirusTotal which indicates that the threat actor was able to stay under the radar.\r\nFigure 1: Very low detection of skimmer-related malicious domains\r\nDuring the course of tracking this threat actor, we noticed two variants of skimmer code used. One of them was\r\nobfuscated and included some additional functionalities. We'll discuss both variants here.\r\nVariant 1\r\nThis CC Skimmer is hosted at the URL: hxxps://modersecure[.]com/sources.200x/google-analytics.js\r\nBelow are the main functionalities of this skimmer:\r\n1. Uses the setInterval() function to check every 1.5 seconds whether the current URL contains the string\r\n\"/checkout/#payment\". This string corresponds to the checkout page of the compromised e-commerce store and\r\nindicates that the user is ready to purchase the items added to the cart.\r\n2. Calls the findBtnAddAction() function which uses HTML DOM to locate the payment button on the page. It\r\nthen adds an event listener for this button which activates as soon as the user clicks it.\r\n3. Event Listener calls the sendCardData() function which further calls the getCardData() function to retrieve the\r\npayment card data information. This information will be base64-encoded and sent to the attacker's data exfiltration\r\nURL. In this case it is: modersecure[.]com/sources.200x/analytic.php. The info is exfiltrated using\r\nnavigator.sendBeacon() function which sends an HTTP POST request\r\nCollection of payment card information\r\nInformation about the payment card will be collected and stored in the following key-value pair structure.\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 2 of 12\n\n{\r\n        'number_key': cardNumber,\r\n        'exp_key': cartExp,\r\n        'cvc_key': cvv\r\n}\r\nThe method used to collect the payment card information is customized according to the targeted e-commerce\r\nstore.\r\nBelow are a few examples.\r\nStripe payment\r\nCode searches for the following elementIDs in the web page to locate the card number, expiry date, and cvv code\r\nif Stripe payment processor is being used.\r\nstripe-payments-card-numbers\r\nstripe-payments-card-expirys\r\nstripe-payments-card-cvcs\r\nMoneris payment\r\nIn cases where e-commerce stores in Canada were compromised, the skimmer code searched for Moneris payment\r\ninformation. Moneris is a popular Canada-based payment processing company and often used as a payment\r\ngateway on Canada-based Magento e-commerce stores.\r\nFigure 2 shows the relevant skimmer code searching for Moneris payment info\r\nFigure 2: Group 1 skimmer code\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 3 of 12\n\nVariant 2\r\nThis second variant of the CC skimmer code was obfuscated and hosted at the URL:\r\nartmodecssdev[.]art/js/av/analytics-google-c82qllg46bw1g23ed2775c5fr9fa.js\r\nMost of the functionality is similar to the first variant with some enhancements included.\r\nKey functionalities\r\n1. Searches for the string: \"/checkout/\" in the URL to ensure the user is at the checkout page\r\n2. Searches for the string: \"f04bf6162ed8779acc1205ac37f8fc4a\" in the cookie. If it is not found, then it indicates\r\nthe user is a new victim.\r\n3. Once both the above conditions are satisfied, the skimmer is activated.\r\n4. Navigates the HTML DOM to locate the shipping and item related information about the order.\r\n5. Uses the HTML DOM to locate the payment card information related to Moneris\r\n6. Exfiltrates the information using the pixtar() function which creates an image tag and sets the source to the\r\nexfiltration URL: artmodecssdev[.]art/secure/av/secure.php. After exfiltration, it sets the cookie\r\n \"f04bf6162ed8779acc1205ac37f8fc4a\" to the uuid. This uuid is generated by the script client-side.\r\nFigure 3 shows the data exfiltration function.\r\nFigure 3: Group 1 skimmer code exfiltrating stolen information\r\nGroup 2\r\nIn May 2022, a new domain - payment-analytics[.]info was registered and used in a skimming attack against\r\nseveral Magento and PrestaShop-based e-commerce stores. Interestingly, this domain was hosted on the IP\r\naddress: 45.61.136[.]218 which is in the same subnet as 45.61.136.204 (an IP address previously used by Lazarus\r\nAPT group). We do not have sufficient information at this point to do any attribution for this campaign.\r\nFigure 4 shows the JavaScript skimming code for Magento e-commerce store.\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 4 of 12\n\nFigure 4: Group 2 CC skimmer\r\nThe skimming code itself is straightforward. It captures the credit card information by searching for HTML fields\r\ncorresponding to the payment processor used by the targeted store (in this case - Authorize.Net). The collected\r\ninformation is exfiltrated by sending an HTTP POST request to payment-analytics[.]info/validate/\r\nKey functionalities\r\n1. Adds an event listener for the click event on \"place order\" button by locating the HTML button element with id\r\nand class: \"#co-payment-form button.action.checkout.primary\". Figure 5 shows the corresponding elements on the\r\ncheckout page.\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 5 of 12\n\nFigure 5: Relevant elements tracked by the skimmer on the checkout page\r\n2. Fetches the payment card information using document.querySelector() depending on the payment processor\r\nused by the targeted store\r\n3. Sends a GET request to the REST API endpoint: \"/rest/default/V1/guest-carts/\" to retrieve value of\r\n\"billing_address\" member which corresponds to shipping information entered by the victim\r\n4. Extracts key info from billing_address, appends it to the payment card information and sends it to the attacker's\r\nserver using an HTTP POST request.\r\nGroup 3\r\nIn July 2022, we observed a threat actor actively compromising Magento-based e-commerce stores and injecting\r\nscript tags pointing to the skimmer code hosted on attacker-registered domains. Each skimmer code snippet was\r\ncustomized with the name of the targeted store and the type of payment processor used.\r\nThere is very limited information available about it in the public domain here.\r\nBased on Zscaler cloud telemetry, we were able to identify several previously undocumented domains used in this\r\nskimming campaign and the associated infrastructure.\r\nFigure 6 shows that most of the domains used in this campaign are still undetected on VirusTotal which explains\r\nthe long shelf life of this campaign.\r\nFigure 6: Group 3 related skimmer domains undetected on VirusTotal\r\nIn this campaign, we observed two variants. The first variant was straightforward and not obfuscated. At a later\r\nstage of the campaign in October 2022, we observed an obfuscated version of the skimmer hosted on a domain\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 6 of 12\n\ncontrolled by the same threat actor.\r\nKey functionalities\r\nWe will briefly describe each of these skimmers' functionalities.\r\nVariant 1\r\nUnlike the other skimmers discussed in this blog so far, this specific variant did not check whether the user is on\r\nthe payment checkout page.\r\nIt used the HTML DOM to locate the HTML fields corresponding to payment card information. The specific\r\nvalues it searches to locate the information would depend on the type of payment processor used by the targeted\r\nstore. This information was concatenated along with the user's details, base64-encoded and exfiltrated to the\r\nattacker's server. The exfiltration URI path remained consistent across all the skimmers in this campaign.\r\nURI path: \"redirect-non-site.php?datasend=\"\r\nFigure 7 shows the skimmer code.\r\nFigure 7: Group 3 skimmer code\r\nVariant 2\r\nThe only difference between this variant and variant 1 is obfuscation. We saw new activity from this threat actor in\r\nOctober 2022 when they started using an obfuscated version of the skimmer.\r\nGroup 4\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 7 of 12\n\nIn November 2022, we observed a threat actor injecting highly obfuscated variants of JavaScript skimmer in\r\nexisting legitimate jQuery libraries on various Magento-based e-commerce stores.\r\nWe noticed 2 unique domains used for exfiltration of the payment card information. Both of these domains still\r\nhave 0 detections on VirusTotal and the e-commerce stores are still infected at the time of publishing this blog as\r\nwell.\r\nFigure 8: Group 4 related skimmer domains undetected on VirusTotal\r\nAs is evident from the domain names, they impersonate as content delivery networks (CDNs) in order to blend in\r\nwith legitimate traffic and this makes them even more difficult to detect at network layer.\r\nFor the purpose of technical analysis, we will take an example of an obfuscated JS skimmer which was injected in\r\nthe path: /skin/frontend/alobencher/default/js/lib/elevatezoom/jquery.elevateZoom-3.0.8.min.js on a compromised\r\nstore as shown in Figure 9.\r\nFigure 9: Skimmer code injected in a legitimate jQuery library on the e-commerce store\r\nWhen the user navigates to the checkout page on the compromised e-commerce store to purchase the goods, the\r\nmalicious JavaScript skimmer function - _0x54d008() is invoked as soon as the user enters and submits the\r\npayment card information. Figure 10 illustrates this.\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 8 of 12\n\nFigure 10: Event listener in injected skimmer code corresponding to payment submission form\r\nKey functionalities of the skimmer are described below.\r\n1. The skimmer locates the payment button using the pattern \"*[onclick*=\\\"payment.save()\\\"]\" and adds an event\r\nlistener for the click event.\r\n2. The exfiltration function is invoked as soon as the above button is clicked.\r\n3. Unlike the skimmers discussed earlier, in this case, it extracts all the input fields using: jQuery(\"body input,\r\nbody select, body option\"). This way the skimmer can access all the input, select and option fields on the web\r\npage.\r\n4. All this collected information is base64-encoded and stored in the variable - payment[string] to send to the\r\nexfiltration URL using an HTTP POST request.\r\n5. The exfiltration URL in this case is: cdn-common[.]com/default/loading.gif\r\nFigure 11 shows the state of key variables in the _0x54d008() function at the time of exfiltration.\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 9 of 12\n\nFigure 11: CC skimmer in action\r\n \r\nZscaler detection status\r\nZscaler’s multilayered cloud security platform detects indicators at various levels, as seen here:\r\nJS.POS.Magecart\r\nConclusion\r\nUsers are advised to exercise caution while shopping online during this holiday season as threat actors are actively\r\ntargeting e-commerce stores for financial data theft.\r\nWe advise the users to pay close attention to any unauthorised payments made using their payment card and get in\r\ntouch immediately with their respective payment card or banking authorities in case they notice unrecognized\r\ntransactions.\r\nIf you are an e-commerce store owner, we advise you to ensure that you are running the latest version of e-commerce software (Magento, Presta Shop, etc.). Also, to confirm whether your store has already been infected or\r\nnot, e-commerce store owners are advised to scan their server for any unrecognised new files or modifications to\r\nexisting files.\r\nThe Zscaler ThreatLabz team will continue to monitor such skimming attacks proactively,  to help keep our\r\ncustomers safe.\r\nIndicators of Compromise\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 10 of 12\n\nGroup 1\r\nDomains\r\nmodersecure[.]com\r\nartmodecssdev[.]art\r\nInjected JS URLs\r\nmodersecure[.]com/sources.200x/google-analytics.js\r\nmodersecure[.]com/sources.155x/analytics.js\r\nartmodecssdev[.]art/js/av/analytics-google-c82qllg46bw1g23ed2775c5fr9fa.js\r\nExfil URLs\r\nmodersecure[.]com/sources.200x/analytic.php\r\nartmodecssdev[.]art/secure/av/secure.php\r\nGroup 2\r\nDomains\r\npayment-analytics[.]info\r\nInjected JS URL\r\npayment-analytics[.]info/assets/domains/62ae9da17edb100b96c9df7b/analytics.js\r\nExfil URL\r\npayment-analytics[.]info/validate/62b3bb447edb100b96c9e6c5\r\nGroup 3\r\nmozillajs[.]biz\r\ndevjs[.]biz\r\nhtml5decode[.]com\r\nmagento-cloud[.]net\r\nmozillajs[.]net\r\njava-cloud[.]net\r\nmagento-cloud[.]com\r\njava-cloud[.]org\r\nmagento-cloud[.]org\r\nhtml5decode[.]biz\r\njava-cloud[.]biz\r\nmagento-cloud[.]biz\r\nstirepoint.com\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 11 of 12\n\nhtml5decode[.]net\r\nmozillajs[.]org\r\nhtml5decode[.]org\r\nGroup 4\r\nDomains\r\ncdn-webcloud[.]com\r\ncdn-common[.]com\r\ncdn-webhub[.]com\r\ncdn-fonts[.]com\r\ncdn-mediacloud[.]com\r\nExfil URLs\r\ncdn-webcloud[.]com/default/loading.gif\r\ncdn-common[.]com/default/loading.gif\r\n \r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nhttps://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season" ], "report_names": [ "black-friday-scams-4-emerging-skimming-attacks-watch-holiday-season" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434219, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd3666f75e63d2dfdd7f1d027d303a6507692bb8.pdf", "text": "https://archive.orkl.eu/cd3666f75e63d2dfdd7f1d027d303a6507692bb8.txt", "img": "https://archive.orkl.eu/cd3666f75e63d2dfdd7f1d027d303a6507692bb8.jpg" } }