Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,690
A new Magecart threat actor is stealing people’s payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers.

The Malwarebytes team discovered the new campaign, which adds an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it’s not running on a VM, researchers revealed in a blog post published Wednesday.

“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post.

Detecting VMs used by security researchers and sandboxing solutions that are set to pick up Magecart activity is “the most popular method” used to evade detection, Segura said. However, for web-based threats, “it is more rare to see detection of virtual machines via the browser,” he said. Usually threat actors filter targets based on geolocation and user-agent strings, Segura wrote.

However, seeing cybercriminals shift tactics is not surprising, he noted, demonstrating that as researchers up their game to detect and report such nefarious activity, so too do cybercriminals adapt and evolve. “This is a natural trade-off that we must expect,” Segura wrote.