IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Magecart card skimmer avoids detection by evading virtual machines

Browser script detects VMs used by researchers

Woman holding a credit card over a keyboard

Security researchers have found a new credit card that uses a browser script to discover antivirus companiesvirtual machines (VM) and sandboxes to avoid detection.

Researchers at Malwarebytes instigated an investigation into a newly reported domain that could be related to Magecart. It found suspicious JavaScript loads alongside an image of payment methods. 

They found an interesting function within this skimmer script that uses the WebGL JavaScript API to gather information about the user’s machine. This script checks to see if a user’s device is running a virtual machine.

It does this by detecting if the graphics card driver running on the operating system is a software renderer fallback from the hardware (GPU) renderer. In the script, the skimmer is checking for the presence of the words swiftshader, llvmpipe, and VirtualBox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.

“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” said Jérôme Segura, head of Threat Intelligence at Malwarebytes.

Researchers noticed if the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes several fields, including the customer’s name, address, email, phone number, and credit card data.

“It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura.

While trying to detect if a machine is running a VM, which security researchers use to safely analyze malware, this malware looks for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software.

“For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective,” said Segura.

Researchers added that it is not surprising to see criminals adopt such evasion techniques. “However, it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect,” added Segura.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Ransomware activity down 11% worldwide in Q3, but rise expected
ransomware

Ransomware activity down 11% worldwide in Q3, but rise expected

20 Oct 2022
Undetectable PowerShell backdoor discovered hiding as Windows update
vulnerability

Undetectable PowerShell backdoor discovered hiding as Windows update

19 Oct 2022
How to trust your inbox with Cloudflare Area 1
Whitepaper

How to trust your inbox with Cloudflare Area 1

19 Oct 2022

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022