⚠️ Overview

FishMaster is a web skimming trojan first documented in October 2020 by Sucuri, targeting e‑commerce checkout pages to steal payment card data. It belongs to the Magecart family of JavaScript sniffers and is operated by an financially motivated threat actor tracked as Magecart Group 8, which relies on compromised third‑party plugins for initial access.

🔧 Technical Capabilities

FishMaster injects malicious JavaScript into the checkout or payment iframe of online stores, intercepting credit‑card numbers, CVV codes, and billing addresses in real time. The skimmer uses a legitimate data‑URI obfuscation technique to evade static signature detection, and it communicates exfiltrated data via Base64‑encoded HTTP POST requests to attacker‑controlled domains mimicking analytics services. Persistence is achieved by modifying WordPress plugin files (e.g., wp‑captcha.php) or Magento theme templates, ensuring the skimmer reloads after CMS updates. Fingerprinting scripts block execution if the victim’s IP belongs to security vendors or law enforcement, and the malware employs a custom User‑Agent string of Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 to blend with organic traffic.

📜 History & Notable Incidents

First identified in October 2020 on a Magento store hosted by GoDaddy, FishMaster became active in campaigns against WooCommerce sites in early 2021, compromising over 500 merchants globally according to a Sansec report. No dedicated CVE has been assigned; instead, it exploits known Magento vulnerabilities such as CVE‑2019‑8983 (SQL injection) and unpatched WordPress plugin flaws to gain initial foothold. A law enforcement action by the FBI in April 2022 disrupted one command‑and‑control infrastructure, but affiliates quickly migrated to new servers.

🔍 Detection Indicators

Known file hashes include SHA256 a3b8d91c2e5f4a7b6c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b (variant identified in Malwarebytes telemetry) and bf3e2d1c4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c. Behavioral signatures include unexpected JavaScript execution on checkout pages containing document.querySelector('#card_number') and network IOCs such as analytics‑tracker[.]com and stats‑gate[.]xyz. Registry keys are not used; persistence relies on file‑system modifications in /wp‑content/plugins/ or app/code/Magento/Checkout/.

☠️ Risk & Impact

FishMaster primarily exfiltrates payment card information, leading to direct financial fraud and credential theft for return customers. The Malwarebytes report of November 2020 estimated average losses of $200,000 per compromised store, with the retail and hospitality sectors being most affected. Data exfiltration occurs silently, often remaining undetected for weeks, amplifying downstream card‑not‑present fraud.

🛡️ Mitigation

Defenses include deploying Content Security Policy (CSP) headers on checkout pages, enabling Subresource Integrity (SRI) for all external scripts, and regularly updating Magento/WooCommerce to the latest patches (e.g., versions 2.4.4‑p1). Web application firewalls (WAFs) with rule sets for Magecart injection patterns and manual review of plugin file timestamps are recommended. A comprehensive detection rule is available in the Sucuri Firewall rule set `Magecart‑JP‑20201022`.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.