Advanced sabotage among competing Magecart factions

Skimmers found to subtly sabotage each others fraud operations

Competition is grim in the online skimming business (aka “MageCart”). The aggressive MagentoCore skimmer was previously observed to kick contending parasites from its victim hosts. But this week, I discovered that the battle has entered a new stage: advanced sabotage of each others revenue streams and reputation.

Sample case in question: cosmetics shop Bliv.com. It contains multiple distinct skimmers that send credit cards to different exfiltration hosts. The more advanced one is onlineclouds.cloud, which is heavily obfuscated and uses cloaking techniques. But with some sweating and curses, I decoded it (full source).

The interesting part is copied below. It detects whether any cards are sent to the (competing but inferior) skimmer domains js-react.com and bootstrap-js.com. Then, it subtly changes the last digit of the intercepted card number, effectively sending bogus card numbers to its competitor:

jQuery.ajaxSetup({
  beforeSend: function(jqXHR, settings) {
    if (settings.url.indexOf("js-react.com") !== -1 || 
    settings.url.indexOf('bootstrap-js.com') !== -1) {
      // ...
      var myRandom = Math.floor(Math.random() * 10);
      var old_cc = settings.data.match(cc);
      var new_data = settings.data.replace(
          new RegExp("[0-9]{13,16}", 'g'), 
          old_cc[0].slice(0, -1) + myRandom);
      settings.data = new_data;
    }
  }
});

Why the subtle sabotage, instead of just killing the inferior skimmer? On the dark web markets, reputation is everything. If one sells non-working cards, angry customers will publicly complain and it will destroy the competing “brand”.

It is not likely that the MageCart battle will be finished soon, so stay tuned…

Thanks to Jérôme Segura of Malwarebytes for suggesting to decode the onlineclouds malware