The Magecart threat actor uses a browser script to evade detection by researchers and sandboxes so it targets only victims’ machines to steal credentials and personal info.
A new Magecart threat actor is stealing people’s payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers.
“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post.
Magecart is an umbrella term for different threat groups who all compromise e-commerce websites with card-skimming scripts on checkout pages to steal customer payment and personal data. Because their activity is so familiar to security researchers, they are constantly looking for new and creative ways to avoid being caught.
Detecting VMs used by security