Lil' Skim Skimmer

Details about a skimmer threat that has been able to remain mostly under the radar for over a year have been revealed in a new report. Named Lil' Skim, the skimmer threat appears to be a more straightforward and simple version of typical Magecart skimmer variants. To hamper detection while it is active and collecting credit/debit card information of users shopping on the compromised pages, Lil' Skim doubles down on the tactic of impersonating legitimate entities.

The operators of the threat have created numerous skimmer domains whose names mimic closely the ones of the legitimate but compromised sites. The cybercriminals simply replaced the normal top-level domain name with either '.site,' '.website,' or '.pw.' The newly created hosts then initiate the skimmer code and access the stolen payment data of the users. Some examples include gorillawhips.com and the imitation site at gorillawhips.site, as well as dogdug.com and its copycat at dogdug.website. All of the domains discovered by infosec researchers were hosted on 87.236.16[.]107.

Hiding Among Other Threats

Another common technique often employed by skimmer operators involves impersonating legitimate brands such as Google, jQuery and others. Lil' Skim is not an exception and several of its domains have been named after Google. In another instance, skimmer operators impersonated the tidio.com chat application by using the name tidio[.]fun. 

It should also be noted that the cybercriminals behind Lil' Skim put their skimmer domains in an Autonomous System that also contains a significant number of corrupted hosts related to other malware threats such as phishing kits, Android payloads and Windows malware. Only two IP addresses - 87.236.16[.]10 and the aforementioned 87.236.16[.]107, were discovered to be hosting additional domains part of the Lil' Skim operation.