[F4AR]

This code is an advanced, heavily obfuscated web-based credit card skimmer (Magecart-style) designed to steal payment card details (and much more) from visitors on a compromised e-commerce or checkout page.
Main capabilities:

• Multi-layer obfuscation of the exfiltration endpoint (usually a Discord webhook):
  • Custom alternating ±13 letter shift (not standard ROT13)
    
  • Double base64 + double URI encoding
    
  • String reversal
    
  • Webhook can be hidden in a data-* attribute on the script tag or hardcoded
    
• Massive data harvesting:
  • Grabs every form field value (input, textarea, select, contenteditable)
    
  • Actively parses for payment data using regex:
    • Visa (^4[0-9]{12}(?:[0-9]{3})?),Mastercard(5[1−5][0−9]14 ), Mastercard (^5[1-5][0-9]{14} ),Mastercard(5[1−5][0−9]14), Amex (^3[47][0-9]{13}$)
      
    • CVV/CVC (3–4 digits)
      
    • Expiry dates (MM/YY or MMYY)
      
  • Also steals: cookies, localStorage, sessionStorage, full URL, User-Agent, timestamp
    
• Global keylogger:
  • Records every keystroke on the page
    
  • Sends buffer on Enter key or when > 50 characters accumulated
    
• Crude screenshot attempt:
  • Clones document body, tries to redraw visible text + basic colors on canvas
    
  • Converts to base64 PNG and attaches it to the Discord message
    
• Exfiltration (usually to Discord):
  • Nicely formatted Discord embed
    
  • Green for initialization, orange for stolen data
    
  • Fake randomized X-Forwarded-For header + modified User-Agent
    
  • 3 retry attempts on failure with 2-second delay
    
• Persistence & dynamic monitoring:
  • Listens to form submit events
    
  • Listens to real-time input events
    
  • Uses MutationObserver to detect newly added forms (very effective against SPAs, React/Vue/Angular sites)
    
• Activation:
  • Triggers on window ‘load’ event
    
  • Immediately sends an “Skimmer initialized successfully” message to prove infection
    

This is a modern, quite sophisticated skimmer (typical of 2024–2026 campaigns), commonly injected via unpatched Magento, WordPress, Shopify vulnerabilities, supply-chain attacks on third-party JS libraries, or admin panel compromise

Hidden Content

You must register or login to view this content.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[Aimbot]

will check for the effort and time

[F4AR]

will check for the effort and time

You'll tell me what you think.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[wergwfe]

thank u so much for u sharing

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[F4AR]

thank u so much for u sharing

No problem, thank you.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[shabanaiqbal420]

A big hug for you man.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[n0trace]

thanks mate i appreciate it

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[leozim2024]

Thank you I will check this out

[F4AR]

A big hug for you man.

ahahah thank u so much

---

Thank you I will check this out

tell me again what you think

---

thanks mate i appreciate it

no problem thank u

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.

[abdonivanna]

interesting stuff

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.