Smilodon Webshell

Web skimming attacks have remained a relevant danger to both online merchants and shoppers. Skimming involves compromising the payment page on a website by injecting a malware payload into it. The cybercriminals can then intercept and obtain sensitive payment or credit/debit card information and use it to perform various online frauds. 

A new skimming Web shell named Smilodon (or Megalodon) has been detected by infosec researchers. Certain evidence points toward Smilodon being deployed by the Magecart Group 12, a hacker collective that is believed to be responsible for the Magento 1 skimming attack campaigns that took place last fall. The malware is first disguised as a file named 'Magento.png' that tries to pass itself for an image/png. However, it lacks the proper PNG format. The exact way that the skimmer Web shell is injected into the compromised sites involves editing the shortcut icon tags with a path to the fake PNG file. Hidden inside it is a PHP Web shell, a popular malware type that allows threat actors to achieve and maintain remote access and administration. 

The threatening functionality of the Smilodon Web shell includes retrieving data from an external host, a corrupted code that focuses on credit card skimming specifically, user credentials harvesting, and exfiltration of data. The threat also exhibits a departure from the commonly used skimming technique that calls an external JavaScript resource. Whenever a customer visits the compromised online store, the browser will send a request to the domain where the skimmer malware is hosted. An effective method for blocking this operation is using a domain/IP database approach. 

However, the Smilodon Web shell has opted to inject code into the merchant website dynamically. The request towards the unsafe domain carrying the skimmer threat also has shifted from the client to the server. Doing so makes the database blocking approach unusable practically, as it would require blacklisting all compromised stores.