Olivia
Online
EKFiddle
@EKFiddle
An extension/rules for the Fiddler Classic and Fiddler Everywhere web debuggers | Tweets by @malwareinfosec
Fiddler
Joined January 2017
1 Following
1.1K Followers
160 Posts
Added 'Mag_cache' skimmer detection to EKFiddle (ref: https://t.co/HTqKKA2I6h)
Rules for Fiddler Classic and Fiddler Everywhere:
https://t.co/U67qZoKyfm
ℹ️ We found a #Magecart skimmer that was new to us via @urlscanio
➡️ Seen ITW and tagged by @sansecio:
https://t.co/3YpMNNxet0
➡️ Exfiltrates data via:
gs27usa[.]com/translations/tw/mails.php
➡️ Raw: https://t.co/9WdJCXi8xf
➡️ Beautified: https://t.co/DAA7UeM3yn
![Threat_Down's tweet photo. ℹ️ We found a #Magecart skimmer that was new to us via @urlscanio
➡️ Seen ITW and tagged by @sansecio:
https://t.co/3YpMNNxet0
➡️ Exfiltrates data via:
gs27usa[.]com/translations/tw/mails.php
➡️ Raw: https://t.co/9WdJCXi8xf
➡️ Beautified: https://t.co/DAA7UeM3yn https://t.co/Vckzn1JYrR](https://pbs.twimg.com/media/FeflWBJakAA3eiN.png)
ℹ️ Updated FakeUpdates/SocGholish rules for both Fiddler Classic and Fiddler Everywhere
➡️ https://t.co/U67qZoKyfm
#FakeUpdates
.breatheinnew[.]life
.roles.thepowerofgodswhisper[.]com
77.91.127[.]52
![EKFiddle's tweet photo. #FakeUpdates
.breatheinnew[.]life
.roles.thepowerofgodswhisper[.]com
77.91.127[.]52 https://t.co/u84roZLNib](https://pbs.twimg.com/media/Fb_M_guaIAAPEEf.jpg)
💡 The latest update for #FiddlerEverywhere adds a similar feature known as the 'TextWizard' in Fiddler Classic.
➡️ Select a string and right-click 'Decode Selection'
ℹ️ It looks like the SSL certificate for maps .windows .com (Bing maps) expired 2 days ago
💡 New version of Fiddler Everywhere adds horizontal view mode.
New #Magecart domain jsconfigur[.]net
➡️ JavaScript:
jsconfigur[.]net/js/config.js
➡️ Exfiltration:
jsconfigur[.]net/configure/collecting.php
![EKFiddle's tweet photo. New #Magecart domain jsconfigur[.]net
➡️ JavaScript:
jsconfigur[.]net/js/config.js
➡️ Exfiltration:
jsconfigur[.]net/configure/collecting.php https://t.co/2bzgz6MraF](https://pbs.twimg.com/media/FW6gPFaUYAYRHRe.png)
@CTI_Marc Blog:
https://t.co/POaFnR5sJn
mousemove:
https://t.co/V2hHdGbCVF
⚠️ New malicious domain found in use: quickespark[.net
This malware loads only when a user interacts with the infected #ecommerce store, using 'onmousemove' and 'ontouchstart'.
Full URL: hxxps://cdn[.quickespark[.net/static/base[.js
New hostnames related to the 'Anti-sandbox' #Magecart skimmer
js[.]knowledgecdn[.]org
m[.]sale-alerts[.]com
s[.]geotac[.]net
185.253.33[.]176
185.63.190[.]141
89.108.109[.]26
![EKFiddle's tweet photo. New hostnames related to the 'Anti-sandbox' #Magecart skimmer
js[.]knowledgecdn[.]org
m[.]sale-alerts[.]com
s[.]geotac[.]net
185.253.33[.]176
185.63.190[.]141
89.108.109[.]26 https://t.co/MDhKz1m13M](https://pbs.twimg.com/media/FW1f9QIVsAES7tS.png)
#Magecart exfiltration with image (hash: ad7f76306b7deced1aea2cafb9e0cdfd00716ba713b382a079c7d743a396cf87) links to previous Porkbun infrastructure.
dxloc[.]buzz
dylorean[.]cyou
141.98.82[.]244
5.188.62[.]10
![EKFiddle's tweet photo. #Magecart exfiltration with image (hash: ad7f76306b7deced1aea2cafb9e0cdfd00716ba713b382a079c7d743a396cf87) links to previous Porkbun infrastructure.
dxloc[.]buzz
dylorean[.]cyou
141.98.82[.]244
5.188.62[.]10 https://t.co/S6gAmaq0QD](https://pbs.twimg.com/media/FW2lsJjVEAAFf4T.jpg)
💡 #EKFiddle tip
➡️ Flag traffic by IP address with exact match or regular expression.
Works for both Fiddler Classic and Fiddler Everywhere
@PaulWebSec @pancak3lullz Depends what exactly you need it for, but EKFiddle can parse the page content in real time and find patterns that you can define as well
Late to the game, but #EKFiddle detection for CVE-2022-30190 (Follina) added.
https://t.co/U67qZosp1e
Seeing a lot of 'Bom' #Magecart infections right now. Injections in compromised stores are located before the </head> tag.
Article on Bom skimmer: https://t.co/TR3G4nKSoy
IOCs:
apfeltee[.]de
www.usaayurveda[.]com
![EKFiddle's tweet photo. Seeing a lot of 'Bom' #Magecart infections right now. Injections in compromised stores are located before the </head> tag.
Article on Bom skimmer: https://t.co/TR3G4nKSoy
IOCs:
apfeltee[.]de
www.usaayurveda[.]com https://t.co/ZOouNO7lQs](https://pbs.twimg.com/media/FWbgSdrUYAAmUlG.png)
Fake slideshow #Magecart skimmer (ref: https://t.co/Ufvn3qIxrk)
➡️ Skimmer JS:
code2a[.]com/js/lib/translate.js
➡️ Exfiltration:
bsvholdingsa[.]com
![EKFiddle's tweet photo. Fake slideshow #Magecart skimmer (ref: https://t.co/Ufvn3qIxrk)
➡️ Skimmer JS:
code2a[.]com/js/lib/translate.js
➡️ Exfiltration:
bsvholdingsa[.]com https://t.co/npq3D9ETCy](https://pbs.twimg.com/media/FWRSjVrUUAEjL0f.png)
This skimmer is really pretty convincing that it's nothing malicious. Looks like it's a slideshow or something.
New #Magecart domain contactsform[.]com
➡️ Skimmer loaded inside GIF image
➡️ Exfiltration via WebSocket
Related to this https://t.co/Vh5DcEAddq
![EKFiddle's tweet photo. New #Magecart domain contactsform[.]com
➡️ Skimmer loaded inside GIF image
➡️ Exfiltration via WebSocket
Related to this https://t.co/Vh5DcEAddq https://t.co/9ZNfWLokqK](https://pbs.twimg.com/media/FWCFf3qVsAA0KKu.png)
Another skimmer with HTTP and WSS exfils found in DB of a WordPress site (the malware loaded JS from a fake .png file).
hxxps://appcloudflare[.com/app/
wss://livehotjars[.com/api/v2/client/ws
Re: https://t.co/erwgZqp30e
'Mirasvit' Magecart skimmer. Maybe tied to exploitation of the Mirasvit plugin?
➡️ Exfiltration:
hubberstore[.]com
![EKFiddle's tweet photo. 'Mirasvit' Magecart skimmer. Maybe tied to exploitation of the Mirasvit plugin?
➡️ Exfiltration:
hubberstore[.]com https://t.co/QZMxxQhMm3](https://pbs.twimg.com/media/FV-DYeUVUAUBzb8.jpg)
'Recaptcha' Magecart skimmer
➡️ JavaScript:
cafeunido[.]com/pub/media/flag/flag.js
candlemaking[.]com/media/email/logo/default/az1.js
➡️ Exfiltration:
cafeunido[.]com/pub/errors/default/403.php
ariaperfume[.]com/errors/default/403.php
![EKFiddle's tweet photo. 'Recaptcha' Magecart skimmer
➡️ JavaScript:
cafeunido[.]com/pub/media/flag/flag.js
candlemaking[.]com/media/email/logo/default/az1.js
➡️ Exfiltration:
cafeunido[.]com/pub/errors/default/403.php
ariaperfume[.]com/errors/default/403.php https://t.co/wc31ErrsPr](https://pbs.twimg.com/media/FV9t9zsUsAA2gmj.png)
New 'Bom' Magecart skimmer domain (compromised site)
➡️ apfeltee[.]de/js/prototype/form.js
Regexes for Fiddler Classic/Everywhere available at:
https://t.co/U67qZosp1e
![EKFiddle's tweet photo. New 'Bom' Magecart skimmer domain (compromised site)
➡️ apfeltee[.]de/js/prototype/form.js
Regexes for Fiddler Classic/Everywhere available at:
https://t.co/U67qZosp1e https://t.co/6y0jNDEzia](https://pbs.twimg.com/media/FV8_N01VEAAtJTn.png)
Last Seen Users on Sotwe
Dug0ng.
Seen from Singapore
เย็ดเก่ง ด้านมืด ขึ้นเก่ง
Seen from Thailand
Trai Dâm Miền Tây
Seen from Vietnam
Cerenqueen 
Seen from Turkey
٠٠٠٠٠
Seen from United States
HỌC SINH DÂM
Seen from Vietnam
fadilax
Seen from Indonesia
🫦
Seen from Algeria
fantasy ibu mu
Seen from Indonesia
Hi! B here!
Seen from Indonesia
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers