Threat Research

Multilingual skimmer fingerprints ‘secret shoppers’ via Cloudflare endpoint API

Securonix

A Malwarebytes analysis describes a multilingual Magecart skimmer that fingerprint users by collecting IP addresses, user-agents, and payment data. The skimmer uses a Cloudflare endpoint API to extract IP and user-agent after card data is captured, then injects fake, but authentic-looking, payment forms to harvest information from Magento and WordPress/WooCommerce sites. #Magecart #Cloudflare #Magento #WooCommerce #PageShield

Keypoints

  • The skimmer collects the victim’s IP address, browser user-agent, email, address, phone number, and credit card data for fingerprinting and data theft.
  • It uses iframes on checkout pages and checks local storage for a font item, effectively differentiating new vs returning visitors (cookie-like behavior).
  • The injected payment forms render identically to official payment platforms to avoid alerting the user.
  • The code queries Cloudflare’s endpoint API and parses results to obtain the user’s IP address and user-agent, enabling profiling and potential bot/security researcher detection.
  • Parsed user-agent strings (e.g., Mozilla/5.0 etc.) reveal OS and browser details to tailor content or targets.
  • The skimmer targets e-commerce platforms such as Magento and WordPress/WooCommerce; merchants are urged to strengthen defenses (e.g., Cloudflare Page Shield).
  • Indicators of compromise include specific analytics domains and script endpoints (e.g., gtag-analytics and gogletags domains) used by the skimmer infrastructure.

MITRE Techniques

  • [T1056] Input Capture – The skimmer collects data entered by users on web forms (email, address, phone, credit card). [ “The underlying code will scrape everything from the customer’s contact and payment forms.” ]
  • [T1082] System Information Discovery – The code analyzes the user’s environment by parsing the user-agent to determine OS and browser. [ “The user’s current IP address and browser’s user-agent” ]
  • [T1036] Masquerading – The skimmer renders a fake checkout experience that is identical to official payment platforms to avoid detection. [ “The final rendering is identical to official payment platforms and does not give anything away.” ]

Indicators of Compromise

  • [Domain] gtag-analytics[.]com – used for analytics-like script hosting and data collection
  • [Domain] gogletags[.]click – part of the skimmer infrastructure
  • [URL] gtag-analytics[.]com/analytics/15798/script.js?key=, gtag-analytics[.]com/analytics/18452/script.js?key=
  • [URL] gtag-analytics[.]com/analytics/25198/script.js?key=, gtag-analytics[.]com/analytics/31826/script.js?key=
  • [File] script.js – referenced as part of the analytics/script endpoints

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/02/multilingual-skimmer-fingerprints-users-via-cloudflare-endpoint-api

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint