Meyhod Skimmer

Infosec researchers have detected a new Magecart-type attack. The deployed threat was named Meyhod Skimmer and was discovered lurking on multiple e-commerce websites. Among the victims are Bsley, a popular company for hair-treatment products, and the Chicago Architecture Center (CAC), one of the biggest cultural organizations in that city. Not only was the Meyhod Skimmer embedded into the affected websites successfully, but it managed to remain there for multiple months without being detected.

Analysis revealed that the Meyhod Skimmer is not nearly as complex as some of the other recent Magecart threats, such as the latest Grelos skimmer variants or the Ant and Cockroach skimmer. Being relatively simplistic is not a detriment, in this case, as the hackers responsible for unleashing Meyhod had plenty of experience in this type of operation, obviously. They crafted the threat meticulously to make it extremely efficient in blending in with the victim's website environment. In fact, infosec researchers observed that each infected website contained a Meyhoid Skimmer threat that displayed slight variations in its code, indicating that the cybercriminals took the time to customize their malware tool for the specific target.

The methodology of a Meyhod Skimmer attack sees the threat being split across more than a dozen functions, which helps with obfuscation. The corrupted code itself is being appended to legitimate JavaScript resources that vary from widely-used JavaScript libraries to custom-created code. The modified resources are then embedded into the cart and checkout pages through script tags that, at a cursory glance, could be mistaken for an ordinary call to a library. One of the Meyhod Skimmer's functions called 'saveData' is tasked with getting credit card details by leveraging jQuery selectors. All collected data is then exfiltrated to the Command-and-Control servers established for the operations through AJAX POST requests.

The Meyhod Skimmer shows that the landscape of Magecart-style attacks is still evolving, with cybercriminals adopting different techniques radically. The end goal has remained the same, though - breaching sensitive payment information by compromising e-commerce websites.

Meyhod points to the ever-evolving and expanding Magecart landscape encompassing theft of payment information via compromised e-commerce websites.