IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Magecart card skimmer avoids detection by evading virtual machines

Browser script detects VMs used by researchers

Woman holding a credit card over a keyboard

Security researchers have found a new credit card that uses a browser script to discover antivirus companiesvirtual machines (VM) and sandboxes to avoid detection.

Researchers at Malwarebytes instigated an investigation into a newly reported domain that could be related to Magecart. It found suspicious JavaScript loads alongside an image of payment methods. 

They found an interesting function within this skimmer script that uses the WebGL JavaScript API to gather information about the user’s machine. This script checks to see if a user’s device is running a virtual machine.

It does this by detecting if the graphics card driver running on the operating system is a software renderer fallback from the hardware (GPU) renderer. In the script, the skimmer is checking for the presence of the words swiftshader, llvmpipe, and VirtualBox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.

“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” said Jérôme Segura, head of Threat Intelligence at Malwarebytes.

Researchers noticed if the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes several fields, including the customer’s name, address, email, phone number, and credit card data.

“It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura.

While trying to detect if a machine is running a VM, which security researchers use to safely analyze malware, this malware looks for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software.

“For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective,” said Segura.

Researchers added that it is not surprising to see criminals adopt such evasion techniques. “However, it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect,” added Segura.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022