- Aug 17, 2014
A new Magecart threat actor is stealing people’s payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers.
“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post.
Detecting VMs used by security researchers and sandboxing solutions that are set to pick up Magecart activity is “the most popular method” used to evade detection, Segura said. However, for web-based threats, “it is more rare to see detection of virtual machines via the browser,” he said. Usually threat actors filter targets based on geolocation and user-agent strings, Segura wrote.
However, seeing cybercriminals shift tactics is not surprising, he noted, demonstrating that as researchers up their game to detect and report such nefarious activity, so too do cybercriminals adapt and evolve. “This is a natural trade-off that we must expect,” Segura wrote.
The Magecart threat actor uses a browser script to evade detection by researchers and sandboxes so it targets only victims’ machines to steal credentials and personal info.