Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar

The Magecart threat actor uses a browser script to evade detection by researchers and sandboxes so it targets only victims’ machines to steal credentials and personal info.

A new Magecart threat actor is stealing people’s payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers.

The Malwarebytes team discovered the new campaign, which adds an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it’s not running on a VM, researchers revealed in a blog post published Wednesday.

“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post.

Magecart is an umbrella term for different threat groups who all compromise e-commerce websites with card-skimming scripts on checkout pages to steal customer payment and personal data. Because their activity is so familiar to security researchers, they are constantly looking for new and creative ways to avoid being caught.

Detecting VMs used by security

Read More: