A technical analysis of a real-world Magecart-style credit card skimmer targeting WooCommerce checkouts. An attacker modified a legitimate JavaScript file (blazy.min.js) on disk, injecting malware that uses advanced obfuscation: a rotating encrypted string array with per-call RC4 decryption keys, a reversed base64-encoded C2 URL, and self-removal after execution. The skimmer polls checkout fields every 500ms to capture card data (validated via Luhn algorithm), encrypts it with AES-256-GCM before exfiltrating via WebSocket over TLS to request-cdn.com, and stores already-stolen card hashes in localStorage to avoid duplicate theft. The post details the C2 infrastructure, obfuscation mechanics, and explains how CSP with connect-src restrictions and JavaScript integrity monitoring (via Report URI) would have detected or blocked the attack.
Table of contents
An unusual choiceEvasion and Anti-Detection TechniquesData TheftData Exfiltration MechanismInfrastructureCode Obfuscation TechniquesHow Report URI would have caught thisIndicators of CompromiseSort: