Cybersecurity researchers have recently uncovered a sophisticated digital skimming operation, dubbed the “Mongolian Skimmer,” which targets e-commerce platforms using Unicode obfuscation techniques. This malicious campaign, designed to steal sensitive financial and personal data from checkout and admin pages, has sparked concern in the cybersecurity community.
The malware uses JavaScript’s ability to integrate Unicode characters into code, making it incredibly difficult for human eyes to detect. Jscrambler researchers described the skimmer’s obfuscation technique as bizarre due to the excessive use of accented and invisible Unicode characters, which obscure the script’s true intentions.
The Mongolian Skimmer is primarily injected as an inline script on compromised websites, fetching its malicious payload from an external server. Its main target is sensitive financial data entered by users during checkout processes, exfiltrating this information to attacker-controlled servers.
What makes this skimmer particularly tricky is its ability to evade detection. When users open a browser’s developer tools, the script disables certain functions to avoid analysis. According to Pedro Fortuna from Jscrambler, the malware uses a mix of modern and legacy event-handling techniques, ensuring compatibility with a wide range of web browsers.
Evasion and Loader Tactics
Another key feature of the Mongolian Skimmer is its advanced evasion tactics. The malware only activates when user interactions, such as scrolling, mouse movements, or touch events, are detected. This helps the skimmer evade automated bots and avoid slowing down the infected website’s performance, keeping the attack under the radar.
Interestingly, researchers also discovered that one of the compromised Magento e-commerce sites had been infiltrated by a second skimmer. The two skimmer groups appeared to negotiate sharing the profits, with one hacker even writing, “I agree 50/50, you can add your code :),” showing a bizarre collaboration in cybercrime.
Old Techniques in a New Disguise
Despite its heavy reliance on Unicode obfuscation, experts note that the Mongolian Skimmer uses older techniques to conceal its code. While it may appear new and more secure, Fortuna confirmed that these methods are reversible, meaning cybersecurity professionals can still detect and mitigate these attacks with the right tools.
Protect Your E-Commerce Platforms
For e-commerce businesses, ensuring that websites are secured against skimming attacks is crucial. Regular code audits, updates to security systems, and proactive malware detection can help mitigate the risks posed by these sophisticated digital skimmers.