An Analysis of the “Meyhod” JavaScript Web Skimmers

Posted on by Emin Baylarov
01
Sep

A new web skimmer called “Meyhod” has recently been disclosed by RiskIQ. Named after a typo in its code, this malware first surfaced in October, targeting several e-commerce sites, including Bosley, a hair treatment company, and the Chicago Architecture Center (CAC).

While investigating the attacker’s domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and – due to the file names – potentially iCanvas or TFC:

Active compromise of dovesfarm.co.uk:

Skimmer 1: Identifier – sClass=”yeikyd” – ‘dovesfarm.js’ (available here)

Skimmer 2: Identifier – sClass=”frydbt” – ‘icanvas.js’ (available here)

Skimmer 3: Identifier – sClass=”bfiyad” – ‘tfc.js’ (available here)

Skimmer 1 – Listener:

Skimmer 2 and 3 – Listener:

Skimmed Data:

RC4 encryption:

Data collected:

  • Credit Card Number, Card Holder Name, CVV, expiry day, month and year, billing address, company name, email address, phone number, and location details.

The skimmed data is encoded using custom functions before it is sent off to the attacker-owned server by an AJAX POST request.

As noted by RiskIQ, so far, the malware has not been attributed to any known Magecart group. None of its domain infrastructure, hosted with Alibaba, overlaps with other known groups.https://www.virustotal.com/graph/embed/g5395cf9f801c419f8a1a623062dfb25d8cc2aa31f2e140ab9c38bacffa80e03c

Checking the host for the attacker’s domain uncovered that it shared IPs with another underground fraud site called ‘carderbazar[.]net’ which was down at the time of writing:

My Previous Blog on the analysis of a campaign and a deep-dive into the Magecart Collective can be found here and here.

Indicators of Compromise (IOCs):

c7571bd3ecdafc2a770d00b7ebc01dc58ed923c1ce685d14d6dfe9bb9cb86072

3f58769e2a573de7b265c6c11619be07d92ed1d37ca44c69083940d070a5b883

ba14026fe5eb0782684e0efdcf7df1f3f2f781d32855571ad10e1561e2f28a63

8.211.0.55

47.254.169.212

jquerycloud[.]com

carderbazar[.]net

References:

https://urlscan.io/result/fa70940d-2bf0-43db-b3d6-67ed91323b36/content
https://urlscan.io/result/3f98656d-9e49-408f-b370-2acf588d98a3/content
https://urlscan.io/result/932eb96f-a9ee-438e-9c97-d4ff54668fdf/content
https://www.riskiq.com/blog/labs/magecart-meyhod-skimmer
https://community.riskiq.com/article/14924d61
https://github.com/BushidoUK/Meyhod-Skimmers
https://app.any.run/tasks/4c671d18-334f-4023-b976-da8ed0c390d6
Emin Baylarov

Dr. Emin is a renowned and respected cybersecurity researcher, speaker, and blogger. He has…