Threat actors often compete for the same resources, and this couldn’t be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once.
In the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn’t seem to be documented yet.
In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors.
Original campaign using WebSockets
Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada’s largest liquor store (LCBO). While details were not shared at the time, we were able to determine thanks to an archived crawl on urlscan.io that the skimmer was using WebSockets and is the same one as described in Akamai’s blog.
Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech[.]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.
We believe this is a different campaign and threat actor altogether. Here are some reasons why:
- No WebSocket being used
- Domains abusing Cloudflare
- Intermediary loader
- Completely different skimming code
To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:
Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):
The data exfiltration is also done differently as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer while on the right, it is a POST request:
Google Tag Manager variants
In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai’s blog but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.
While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure.
Indicators of Compromise
WebSocket Skimmer: cloud-cdn[.]org — Kritec skimmer: kritec[.]pics vitalmob[.]pics flowit[.]pics flagmob[.]quest entrydelt[.]sbs sanpatech[.]shop prijetech[.]shop nebiltech[.]shop kruktech[.]shop lavutele[.]yachts tochdigital[.]pics smestech[.]shop klstech[.]shop shotsmob[.]sbs gemdigit[.]pics nevomob[.]quest vuroselec[.]quest apexit[.]yachts sorotele[.]yachts bereelec[.]quest bereelec[.]quest/ww[.]min[.]js apexit[.]yachts/apex[.]min[.]js vuroselec[.]quest/dych[.]min[.]js nevomob[.]quest/elan-loader[.]js gemdigit[.]pics/wpp-loader[.]js gemdigit[.]pics/sun-loader[.]js klstech[.]shop/opencart-cache-worker[.]min[.]js tochdigital[.]pics/digital[.]min[.]js vitalmob[.]pics/pre-loader[.]js
Additional IOCs from Sucuri (thanks Denis!): ukatec[.]pics/uk.min.js gretit[.]yachts/lazy.min.js ledeehub[.]shop/hub.min.js rithdigit[.]cyou/ik-loader.js kouelec[.]cyou/postcodeanywhere.js pracelec[.]yachts/excl-tax.js accotech[.]quest/lazysize.min.js paunit[.]pics/dlab.js defimob[.]bar/slide.js screenmet[.]sbs/map.js shokomob[.]sbs regtech[.]sbs oumymob[.]shop nujtec[.]shop cloveselec[.]quest