A newly uncovered credit card skimming campaign, dubbed “RolandSkimmer,” has been exploiting browser extensions to steal sensitive financial information from users.
FortiGuard Labs identified this sophisticated attack targeting Microsoft Windows platforms and popular browsers, including Chrome, Edge, and Firefox.
The campaign demonstrates advanced techniques for persistence, evasion, and data exfiltration, posing a significant threat to cybersecurity.
Attack Methodology and Infection Chain
The RolandSkimmer campaign begins with the distribution of a malicious ZIP file named “faktura_3716804.zip.”
Upon extraction, users encounter an innocuous-looking shortcut file “faktura_1065170.lnk,” which covertly executes a VBScript payload through the Windows mshta.exe process.
This script establishes a persistent connection with the attacker’s command-and-control (C2) server, enabling the download of additional malicious components disguised as image files or documents.
The malware performs reconnaissance on the victim’s system by gathering hardware details, operating system information, and installed browser configurations.
This intelligence allows attackers to tailor their infection strategy based on the environment, avoiding virtual machines or sandboxed systems.
Browser Extensions as Key Attack Vectors
The attackers leverage malicious browser extensions as core components of their operation.
For Edge, they deploy an extension named “Disable Content Security Policy,” which claims to bypass website security measures but is engineered for data theft.
Chrome and Firefox are targeted using XOR-encoded files that mimic legitimate extensions like Tampermonkey.
These extensions are configured to intercept network requests, monitor user activity, and exfiltrate sensitive data such as credit card numbers.
Key components of the malicious extensions include configuration files (manifest.json, background.js, background2.js) stored in concealed directories.
These files grant invasive permissions that allow the malware to manipulate browsing data, intercept form submissions, and track user behavior across sessions.
Indicators of Compromise (IoCs)
FortiGuard Labs provided several IoCs associated with RolandSkimmer:
- Malicious Files:
- ZIP file:
faktura_3716804.zip - Shortcut file:
faktura_1065170.lnk - Obfuscated VBScript payload hosted at
hxxp://invsetmx[.]com/n.jpg - XOR-encoded extension files downloaded from
fzhivka-001-site1.btempurl.com - C2 Servers:
- Primary server:
hxxp://invsetmx[.]com - Secondary server for updates:
hxxps://exmkleo[.]com - Malicious Extensions:
- Edge: “Disable Content Security Policy”
- Chrome/Firefox: Mimicked Tampermonkey extension
- URLs Used for Data Exfiltration:
- Example format:
hxxps://bg3dsec[.]com/?S=-&D=&N=
RolandSkimmer achieves persistence by modifying browser shortcuts rather than altering legitimate binaries directly.
For Edge, attackers create a new shortcut that loads the malicious extension using arguments like --load-extension="%LOCALAPPDATA%\s2ch97".
Legitimate shortcuts are removed from desktops and taskbars, ensuring victims unknowingly launch infected browsers.
For Firefox, attackers simulate a valid user profile by deploying preconfigured extension files (as1.rar to as6.rar).
These files include metadata, settings, and scripts designed to auto-import malicious configurations upon browser startup.
The RolandSkimmer campaign showcases the increasing sophistication of browser-based threats.
By exploiting legitimate system tools like LNK files and leveraging advanced scripting techniques within extensions, attackers achieve stealthy persistence while exfiltrating sensitive financial data over extended periods.
The use of obfuscated scripts and adaptive infection paths further complicates detection efforts.
To mitigate risks, users should avoid opening unknown shortcut files or installing unverified browser extensions.
Organizations must implement security tools capable of identifying unusual script activity and restrict unauthorized browser modifications.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/browser-extensions-abused-in-new-credit-card-skimming-attack/&media=https://i0.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFZOP5T66FrupDIn4-YVUIVr0BI33etvkToITbvQ4c59xirhItb3IyXQEawcGPoGnMCekafWl4J4AQn3gzKLYMTSHWkSAZZjj-xZdfJa4nK5X27DX7AhAsjHxMpG7uQBwL-y6MQs4WagsAjkbqShW-K_BUBrCHM1RnBsGRLHgIXhkpto3w5gSz3rIJ_0o/s16000/Credit%20Card%20Skimming.webp?w=1200&resize=1200,0&ssl=1&description=A newly uncovered credit card skimming campaign, dubbed "RolandSkimmer," has been exploiting browser extensions.){kind=link}