Full Report
Payment fraud has industrialized, and that's a defensive advantage. Learn how standardized attack infrastructure creates detectable patterns that financial institutions can act on before losses occur.
Analysis Summary
# Tool/Technique: Industrialized E-Skimming & Fraud Infrastructure
## Overview
This represents the professionalization of the payment fraud ecosystem, moving from bespoke attacks to standardized Malware-as-a-Service (MaaS) and Infrastructure-as-a-Service (IaaS) models. Threat actors now use packaged kits and managed services to automate e-commerce compromise (Magecart), card testing, and fraudulent merchant acquisition.
## Technical Details
- **Type:** Malware family (E-skimmers) and Fraudulent Infrastructure
- **Platform:** Web-based E-commerce platforms (PHP, JavaScript, CMS like Magento/Shopify)
- **Capabilities:** Automated card data harvesting, centralized C2 management, automated card validity testing (checking), and merchant account spoofing.
- **First Seen:** Magecart activity is long-standing; "Sniffer by Fleras" and "AcceptCar" identified as dominant in 2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise]
- [T1190 - Exploit Public-Facing Application]
- **[TA0003 - Persistence]**
- [T1505.003 - Server Software Component: Web Shell]
- **[TA0006 - Credential Access]**
- [T1559 - Inter-Process Communication (specifically via web API/hooks)]
- [T1539 - Steal Web Session Cookie]
- **[TA0009 - Collection]**
- [T1185 - Browser Session Hijacking]
- [T1602 - Data from Configuration Repository]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Web Injection:** Injecting malicious JavaScript (skimmers) into checkout pages to capture PII and payment card industry (PCI) data in real-time.
- **Data Management:** Web-based portals (e.g., Fleras) for viewing harvested logs and managing infected "bots."
- **Automated Verification:** Telegram-based bots and dark web "checkers" used to validate stolen card numbers against legitimate merchant APIs.
### Advanced Features
- **Revenue Sharing Models:** "AcceptCar" provides a managed service where operators handle the technical installation in exchange for a 50-70% cut of the profits.
- **Standardized Registration:** Automated workflows for standing up "Scam Merchant" accounts across hundreds of global acquirers using repeatable patterns.
- **Evasion-Focused Rotation:** Systematic rotation of tester merchant accounts; 94% of observed testing infrastructure is new each year to avoid blacklists.
## Indicators of Compromise
- **File Names:** `sniffer.js`, `mage.js`, and various obfuscated scripts often appended to legitimate libraries (e.g., `jquery.min.js`).
- **Network Indicators:**
- Telegram bot APIs used for card testing commands.
- C2 domains mimicking payment processors (e.g., `pay-verification[.]com`).
- Known "Fleras" management panels.
- **Behavioral Indicators:**
- Presence of unrecognized JavaScript external requests on checkout pages (Data Exfiltration).
- High volume of low-value ($0.00 or $1.00) authorization attempts on merchant accounts (Card Testing).
- Recent domain registrations (typically < 30 days) associated with new merchant IDs.
## Associated Threat Actors
- **Magecart Groups** (Various subgroups)
- **Fleras Operators** (Developers of the "Sniffer by Fleras" kit)
- **AcceptCar Operators** (MaaS providers)
- **Scam Merchant Syndicates**
## Detection Methods
- **Behavioral Detection:** Monitoring for "Card Testing" patterns (high velocity, incremental CVV guessing, or BIN attacks).
- **Web Integrity Monitoring:** Scanning e-commerce sites for unauthorized changes to JavaScript files or new, obfuscated scripts.
- **Merchant Profiling:** Identifying MCC (Merchant Category Code) mismatches and rapid merchant rotation patterns.
- **External Intelligence:** Tracking newly registered domains and common infrastructure shared across different scam operations.
## Mitigation Strategies
- **Content Security Policy (CSP):** Implement strict CSPs to prevent the execution of scripts from untrusted domains.
- **Subresource Integrity (SRI):** Use SRI hashes to ensure that third-party scripts have not been tampered with.
- **Binary/BIN Blocking:** Proactively blocking or flagging cards that show activity on known "tester" merchants.
- **Standardized Onboarding Scrutiny:** Enhanced KYC (Know Your Customer) for merchants showing standardized registration patterns.
## Related Tools/Techniques
- **Formjacking:** The broader technique of stealing data from web forms.
- **BIN Attacks:** Brute-forcing the remaining digits of a card number based on a known Bank Identification Number.
- **Purchase Scams:** Using social engineering to convince users to pay fraudulent merchants directly.