Magecart card skimmer avoids detection by evading virtual machines

Browser script detects VMs used by researchers

Woman holding a credit card over a keyboard

Security researchers have found a new credit card that uses a browser script to discover antivirus companiesvirtual machines (VM) and sandboxes to avoid detection.

Researchers at Malwarebytes instigated an investigation into a newly reported domain that could be related to Magecart. It found suspicious JavaScript loads alongside an image of payment methods. 

They found an interesting function within this skimmer script that uses the WebGL JavaScript API to gather information about the user’s machine. This script checks to see if a user’s device is running a virtual machine.

It does this by detecting if the graphics card driver running on the operating system is a software renderer fallback from the hardware (GPU) renderer. In the script, the skimmer is checking for the presence of the words swiftshader, llvmpipe, and VirtualBox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.

“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” said Jérôme Segura, head of Threat Intelligence at Malwarebytes.

Researchers noticed if the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes several fields, including the customer’s name, address, email, phone number, and credit card data.

“It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura.

While trying to detect if a machine is running a VM, which security researchers use to safely analyze malware, this malware looks for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software.

“For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective,” said Segura.

Researchers added that it is not surprising to see criminals adopt such evasion techniques. “However, it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect,” added Segura.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021