Mongolian Skimmer: Invisible Unicode Characters Hide Credit Card Theft
Security researchers from Jscrambler have uncovered a new digital skimming campaign that exploits Unicode characters, many of which are invisible, to conceal a malicious code known as Mongolian Skimmer. The primary objective of this skimmer is to steal sensitive data entered on checkout pages of online stores, including financial information.
Mongolian Skimmer is injected into compromised websites as an embedded script that fetches the main malicious code from an external server. The script is designed to bypass analysis and debugging measures by disabling certain functions when developer tools are activated in the browser.
Thanks to JavaScript’s ability to use any Unicode characters in identifiers, the attackers have successfully hidden the malicious functionality from plain view.
According to Jscrambler expert Pedro Fortuna, the skimmer employs well-known techniques to ensure compatibility with different browsers, enabling it to target a wide range of users regardless of the browser version.
An unusual version of the loader was also discovered, activating the skimmer only when a user interacts with the website—such as scrolling the page or moving the mouse. This approach not only helps evade bot protection systems but also reduces the strain on the site, minimizing its impact on performance.
Interestingly, on one of the compromised websites through which Mongolian Skimmer was being distributed, researchers found evidence of two separate cybercriminal groups. The attackers were communicating via comments in the site’s source code, negotiating over profit-sharing. In one message, the first attacker suggested splitting the earnings equally: “ 50/50 maybe?” The second agreed, adding, “You can add your code :)”.
Experts emphasize that while the obfuscation methods involving Unicode may seem novel, they are in fact long-established techniques that merely create the illusion of complex encryption.
The growing prevalence of digital skimmers has reached a new phase—cybercriminals are now forced to divide profits, competing for control over the same website. Discussions of a “fair” split of earnings within the source code itself only highlight how commonplace and routine these cyberattacks have become.
