{
	"id": "8f057ddd-5a8a-4584-86d9-cc1c5a6c45cc",
	"created_at": "2026-04-06T00:21:58.285406Z",
	"updated_at": "2026-04-10T03:20:17.464997Z",
	"deleted_at": null,
	"sha1_hash": "d621b8422ced9e7c74ef853283088eca1f9edf76",
	"title": "Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 887057,
	"plain_text": "Fraudsters cloak credit card skimmer with fake content delivery\r\nnetwork, ngrok server | Malwarebytes Labs\r\nBy Jérôme Segura\r\nPublished: 2020-02-25 · Archived: 2026-04-05 17:29:44 UTC\r\nThreat actors love to abuse legitimate brands and infrastructure—this, we know. Last year we exposed how web\r\nskimmers had found their way onto Amazon’s Cloudfront content delivery network (CDN) via insecure S3\r\nbuckets. Now, we discovered scammers pretending to be CDNs while exfiltrating data and hiding their tracks—\r\nanother reason to keep watchful eye on third-party content.\r\nSometimes, what looks like a CDN may turn out to be anything but. Using lookalike domains is nothing new\r\namong malware authors. One trend we see a fair bit with web skimmers in particular is domains that mimic\r\nGoogle Analytics: Practically all websites use this service for their ranking and statistics, so it makes for credible\r\ncopycats.\r\nIn the latest case, we caught scammers using two different domains pretending to be a CDN. While typically the\r\nsecond piece of the infrastructure is used for data exfiltration, it only acts as an intermediary that attempts to hide\r\nthe actual exfiltration server.\r\nOddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service—a reverse\r\nproxy software that creates secure tunnels—to collect the stolen data. This combination of tricks and technologies\r\nshows us that fraudsters can devise custom schemes in an attempt to evade detection.\r\nInspecting code for unauthorized third-parties\r\nWe identified suspicious code on the website for a popular Parisian boutique store. However, to the naked eye, the\r\nscript in question looks just like another jQuery library loaded from a third-party CDN.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 1 of 7\n\nAlthough the domain name (cdn-sources[.]org) alludes to a CDN, and unveil.js is a legitimate library, a quick look\r\nat the content shows some inconsistencies. There should not be fields looking for a credit card number for this\r\nkind of plugin.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 2 of 7\n\nTo clear any doubts, we decided to check an archived copy of the site and compared it with a live snapshot. We\r\ncan indeed see that this script did not exist just a couple of weeks prior. Either it was added by the site owner, or in\r\nthis case, injected by attackers.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 3 of 7\n\nThe script checks for the current URL in the address bar and if it matches with that of a checkout page, it begins\r\ncollecting form data. This typically includes the shopper’s name, address, email, phone number, and credit card\r\ninformation.\r\nData exfiltration via ngrok server\r\nOnce this data is collected, the skimmer will exfiltrate it to a remote location. Here, we see yet another CDN\r\nlookalike in cdn-mediafiles[.]org. However, after checking the network traffic, we noticed this is not the actual\r\nexfiltration domain, but simply an intermediary.\r\nGET https://cdn-mediafiles.org/cache.php HTTP/1.1 Host: cdn-mediafiles.org Connection: keep-alive Acc\r\nInstead, the GET request returns a Base64 encoded response. This string, which was already present in the original\r\nskimmer script, decodes to //d68344fb.ngrok[.]io/ad.php which turns out to be the actual exfiltration server.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 4 of 7\n\nNgrok is software that can expose a local machine to the outside as if it was an external server. Users can create a\r\nfree account and get a public URL. Crooks have abused ngrok to exfiltrate credit card data before.\r\nTo summarize, the compromised e-commerce site loads a skimmer from a domain made to look like a CDN. Data\r\nis collected when a shopper is about to make a payment and sent to a custom ngrok server after a simple redirect.\r\nThe above view is simplified, only keeping the key elements responsible for the skimming activity. In practice,\r\nnetwork captures will contain hundreds more sequences that will make it more difficult to isolate the actual\r\nmalicious activity.\r\nBlocking and reporting\r\nWe caught this campaign early on, and at the time only a handful of sites had been injected with the skimmer. We\r\nreported it to the affected parties while also making sure that Malwarebytes users were protected against it.\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 5 of 7\n\nThreat actors know they typically have a small window of opportunity before their infrastructure gets detected and\r\npossibly shutdown. They can devise clever tricks to mask their activity in addition to using domains that are either\r\nfresh or belong to legitimate (but abused) owners.\r\nWhile these breaches hurt the reputation of online merchants, customers also suffer the consequences of a hack.\r\nNot only do they have to go through the hassle of getting new credit cards, their identities are stolen as well,\r\nopening the door to future phishing attacks and impersonation attempts.\r\nIndicators of Compromise\r\nWeb skimmer domain\r\ncdn-sources[.]org\r\nWeb skimmer scripts\r\ncdn-sources[.]org/jquery.unveil.js\r\ncdn-sources[.]org/adrum-4.4.3.717.js\r\ncdn-sources[.]org/jquery.social.share.2.2.min.js\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 6 of 7\n\nRedirect\r\ncdn-mediafiles[.]org/cache.php\r\nExfiltration URL\r\nd68344fb.ngrok[.]io/ad.php\r\nSource: https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngro\r\nk-server/\r\nhttps://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/\r\nPage 7 of 7\n\n https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/      \nAlthough the domain name (cdn-sources[.]org) alludes to a CDN, and unveil.js is a legitimate library, a quick look\nat the content shows some inconsistencies. There should not be fields looking for a credit card number for this\nkind of plugin.       \n   Page 2 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/"
	],
	"report_names": [
		"fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server"
	],
	"threat_actors": [],
	"ts_created_at": 1775434918,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d621b8422ced9e7c74ef853283088eca1f9edf76.pdf",
		"text": "https://archive.orkl.eu/d621b8422ced9e7c74ef853283088eca1f9edf76.txt",
		"img": "https://archive.orkl.eu/d621b8422ced9e7c74ef853283088eca1f9edf76.jpg"
	}
}