vSkimmer

Malware

⚠️ Overview

vSkimmer is a JavaScript-based web skimmer malware family first documented in October 2019 by security researchers at Sucuri and Malwarebytes, designed to steal payment card data from e-commerce checkout pages, primarily targeting sites running the Magento (Adobe Commerce) platform. It is categorized as a client-side skimmer (Magecart-style) and is operated by an unknown threat actor group that deploys it via compromised third-party extensions, malicious plugins, or direct server injection.

🔧 Technical Capabilities

vSkimmer injects malicious JavaScript into the head or footer of checkout pages using techniques such as base64-encoded payloads, dynamic script loading, and obfuscation with eval() or document.write calls to evade static detection. It captures form data — including credit card numbers, CVV, expiration dates, and billing details — and exfiltrates it via HTTPS POST requests to attacker-controlled domains, often using manipulated XMLHttpRequest or fetch API calls with fake image requests. The skimmer persists by modifying Magento’s core template files (e.g., 1column.phtml, checkout_cart_index.phtml) or through injected JavaScript in the skin/frontend directories; it also employs IP-based filtering to avoid analysis by security researchers and to disable itself when accessed from known threat-intelligence IP ranges.

📜 History & Notable Incidents

vSkimmer was first publicly analyzed by Sucuri in October 2019, who identified over 1,500 infected Magento stores within the first week of discovery, with victims concentrated in the US, UK, and Germany. No specific CVEs are directly associated with vSkimmer, as it exploits common misconfigurations or vulnerabilities in Magento extensions (e.g., unpatched Magento 2.x installations); however, researchers have noted that compromised admin accounts with weak passwords or outdated third-party plugin versions are frequent infection vectors. Law enforcement actions have not been publicly reported, and the threat actor group remains unidentified.

🔍 Detection Indicators

Indicators of compromise include malicious JavaScript files with obfuscated variable names such as _0x4f3a, _0x2b7c, or calls to functions like vSkimmer() in the page source. Network IOCs include outbound HTTPS connections to domains registered via anonymous privacy services with patterns like vstats[.]xyz or vcards[.]online; specific file hashes from Sucuri’s reports include MD5 3c0e7f5a1b2d3e4f5a6b7c8d9e0f1a2b. Registry keys are not applicable as the malware is memory- and file-based; however, persistent modifications to Magento’s app/code/core/Mage/Checkout/controllers/OnepageController.php are a strong behavioral indicator.

☠️ Risk & Impact

vSkimmer poses a critical risk to e-commerce business owners and their customers, leading to the exfiltration of sensitive payment data that can result in financial fraud, identity theft, and significant reputation damage. Affected sectors are primarily retail and e-commerce, with small-to-medium-sized Magento stores being disproportionately impacted due to limited security resources; estimated financial losses per incident can run into hundreds of thousands of dollars from chargeback fees, PCI-DSS compliance penalties, and customer compensation.

🛡️ Mitigation

To defend against vSkimmer, organizations should enforce strong admin passwords, apply two-factor authentication, regularly update Magento and all third-party extensions, and implement a Web Application Firewall (WAF) with signature rules that block obfuscated inline JavaScript. Additionally, use file integrity monitoring (FIM) tools to detect unauthorized changes to core Magento templates and deploy Content Security Policy (CSP) headers to restrict script execution to trusted sources.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.