Most of these servers had domain names mimicking Magento, the e-commerce platform that is the most attacked.
The deobfuscated script shows the exfiltration domain (jquerylol[.]ru) where the stolen data will be sent. Courtesy Malwarebytes
He also posted an deobfuscated image of the script, where it was possible to see the domain to which data was being exfiltrated.
Segura said the compromised Magento sites would continue to be risk, even if the GitHub-hosted skimmer was taken down.
"Indeed, attackers can easily re-infect them in the same manner they initially injected the first one," he said.
"It is critical for e-commerce site owners to keep their CMS and its plugins up-to-date, as well as using secure authentication methods. Over the past year, we have identified thousands of sites that are hacked and posing a risk for online shoppers."
"From there, you only allow a select set of vetted scripts (usually only your own) to access this sensitive data. And as a result, if this type of skimming code does get on your site, it simply can't access any sensitive information."