Posts: 10
Threads: 1
Joined: Apr 2026
(Feb 01, 2026, 09:02 PM)abdonivanna Wrote: interesting stuff
thank u <3 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 22
Threads: 0
Joined: Apr 2026
(Feb 01, 2026, 02:26 PM)F4AR Wrote: This code is an advanced, heavily obfuscated web-based credit card skimmer (Magecart-style) designed to steal payment card details (and much more) from visitors on a compromised e-commerce or checkout page.
Main capabilities:- Multi-layer obfuscation of the exfiltration endpoint (usually a Discord webhook):
- Custom alternating ±13 letter shift (not standard ROT13)
- Double base64 + double URI encoding
- String reversal
- Webhook can be hidden in a data-* attribute on the script tag or hardcoded
- Massive data harvesting:
- Grabs every form field value (input, textarea, select, contenteditable)
- Actively parses for payment data using regex:
- Visa (^4[0-9]{12}(?:[0-9]{3})?),Mastercard(5[1−5][0−9]14 ), Mastercard (^5[1-5][0-9]{14} ),Mastercard(5[1−5][0−9]14), Amex (^3[47][0-9]{13}$)
- CVV/CVC (3–4 digits)
- Expiry dates (MM/YY or MMYY)
- Also steals: cookies, localStorage, sessionStorage, full URL, User-Agent, timestamp
- Global keylogger:
- Records every keystroke on the page
- Sends buffer on Enter key or when > 50 characters accumulated
- Crude screenshot attempt:
- Clones document body, tries to redraw visible text + basic colors on canvas
- Converts to base64 PNG and attaches it to the Discord message
- Exfiltration (usually to Discord):
- Nicely formatted Discord embed
- Green for initialization, orange for stolen data
- Fake randomized X-Forwarded-For header + modified User-Agent
- 3 retry attempts on failure with 2-second delay
- Persistence & dynamic monitoring:
- Listens to form submit events
- Listens to real-time input events
- Uses MutationObserver to detect newly added forms (very effective against SPAs, React/Vue/Angular sites)
- Activation:
- Triggers on window ‘load’ event
- Immediately sends an “Skimmer initialized successfully” message to prove infection
This is a modern, quite sophisticated skimmer (typical of 2024–2026 campaigns), commonly injected via unpatched Magento, WordPress, Shopify vulnerabilities, supply-chain attacks on third-party JS libraries, or admin panel compromise This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 11
Threads: 0
Joined: Jul 2025
Posts: 1
Threads: 0
Joined: Apr 2026
(Feb 01, 2026, 02:26 PM)F4AR Wrote: This code is an advanced, heavily obfuscated web-based credit card skimmer (Magecart-style) designed to steal payment card details (and much more) from visitors on a compromised e-commerce or checkout page.
Main capabilities:- Multi-layer obfuscation of the exfiltration endpoint (usually a Discord webhook):
- Custom alternating ±13 letter shift (not standard ROT13)
- Double base64 + double URI encoding
- String reversal
- Webhook can be hidden in a data-* attribute on the script tag or hardcoded
- Massive data harvesting:
- Grabs every form field value (input, textarea, select, contenteditable)
- Actively parses for payment data using regex:
- Visa (^4[0-9]{12}(?:[0-9]{3})?),Mastercard(5[1−5][0−9]14 ), Mastercard (^5[1-5][0-9]{14} ),Mastercard(5[1−5][0−9]14), Amex (^3[47][0-9]{13}$)
- CVV/CVC (3–4 digits)
- Expiry dates (MM/YY or MMYY)
- Also steals: cookies, localStorage, sessionStorage, full URL, User-Agent, timestamp
- Global keylogger:
- Records every keystroke on the page
- Sends buffer on Enter key or when > 50 characters accumulated
- Crude screenshot attempt:
- Clones document body, tries to redraw visible text + basic colors on canvas
- Converts to base64 PNG and attaches it to the Discord message
- Exfiltration (usually to Discord):
- Nicely formatted Discord embed
- Green for initialization, orange for stolen data
- Fake randomized X-Forwarded-For header + modified User-Agent
- 3 retry attempts on failure with 2-second delay
- Persistence & dynamic monitoring:
- Listens to form submit events
- Listens to real-time input events
- Uses MutationObserver to detect newly added forms (very effective against SPAs, React/Vue/Angular sites)
- Activation:
- Triggers on window ‘load’ event
- Immediately sends an “Skimmer initialized successfully” message to prove infection
This is a modern, quite sophisticated skimmer (typical of 2024–2026 campaigns), commonly injected via unpatched Magento, WordPress, Shopify vulnerabilities, supply-chain attacks on third-party JS libraries, or admin panel compromise This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 4
Threads: 0
Joined: Apr 2026
thanks broder gggh
thanks broder ggghThis forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 62
Threads: 0
Joined: Apr 2026
thank you for sharing This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 18
Threads: 0
Joined: Apr 2024
I never saw code like this kind, would be a interesting read, thanks!
Posts: 7
Threads: 0
Joined: Apr 2026
will check for the effort and time This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 3
Threads: 0
Joined: Apr 2026
(Feb 01, 2026, 02:26 PM)F4AR Wrote: This code is an advanced, heavily obfuscated web-based credit card skimmer (Magecart-style) designed to steal payment card details (and much more) from visitors on a compromised e-commerce or checkout page.
Main capabilities:- Multi-layer obfuscation of the exfiltration endpoint (usually a Discord webhook):
- Custom alternating ±13 letter shift (not standard ROT13)
- Double base64 + double URI encoding
- String reversal
- Webhook can be hidden in a data-* attribute on the script tag or hardcoded
- Massive data harvesting:
- Grabs every form field value (input, textarea, select, contenteditable)
- Actively parses for payment data using regex:
- Visa (^4[0-9]{12}(?:[0-9]{3})?),Mastercard(5[1−5][0−9]14 ), Mastercard (^5[1-5][0-9]{14} ),Mastercard(5[1−5][0−9]14), Amex (^3[47][0-9]{13}$)
- CVV/CVC (3–4 digits)
- Expiry dates (MM/YY or MMYY)
- Also steals: cookies, localStorage, sessionStorage, full URL, User-Agent, timestamp
- Global keylogger:
- Records every keystroke on the page
- Sends buffer on Enter key or when > 50 characters accumulated
- Crude screenshot attempt:
- Clones document body, tries to redraw visible text + basic colors on canvas
- Converts to base64 PNG and attaches it to the Discord message
- Exfiltration (usually to Discord):
- Nicely formatted Discord embed
- Green for initialization, orange for stolen data
- Fake randomized X-Forwarded-For header + modified User-Agent
- 3 retry attempts on failure with 2-second delay
- Persistence & dynamic monitoring:
- Listens to form submit events
- Listens to real-time input events
- Uses MutationObserver to detect newly added forms (very effective against SPAs, React/Vue/Angular sites)
- Activation:
- Triggers on window ‘load’ event
- Immediately sends an “Skimmer initialized successfully” message to prove infection
This is a modern, quite sophisticated skimmer (typical of 2024–2026 campaigns), commonly injected via unpatched Magento, WordPress, Shopify vulnerabilities, supply-chain attacks on third-party JS libraries, or admin panel compromise This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
Posts: 105
Threads: 0
Joined: Apr 2026
Wow, not something you see often. Thanks for sharing. This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Contact Administration.
|
