- The skimmer has been found to be attached to an ongoing campaign with the additional “e4[.]ms” domain.
- Apparently, the skimmer contains an English and Portuguese version to infect as many sites as possible.
What does the report say?
An analysis of an infected site revealed that there are two different versions of Cloudflare’s Rocket Loader. While one of them is obfuscated, the other is recognized as the legitimate Cloudflare’s Rocket Loader library.
Further investigation also showed that there is a subtle difference in the URI path loading both scripts.
Researchers note that the threat actors behind this skimming attack are taking advantage of Google Chrome version 76’s ‘https’ scheme that is no longer shown to users.
“The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’, extra ‘p’ and double slash ‘//’) into something that looks like ‘https://',” explained Malwarebytes in a blog post.
The decoy domain http.ps was registered on 2020-02-07 via the Key-Systems GmbH registrar. The Palestinian National Internet Naming Authority (PNINA) is the official domain registry for the .ps country code Top-Level-Domain (ccTLD).
Other campaigns related to the skimmer
The skimmer has been found to be attached to an ongoing campaign with the additional “e4[.]ms” domain. Apparently, the skimmer contains an English and Portuguese version to infect as many sites as possible. Researchers believe that the threat actors behind both the attacks are the same as they use similar naming conventions used for the domains and skimmers.