LIVE_FEED

--:--:--[HIGH]shop-***-deals.com→Magecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.net→Drive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.io→Obfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.co→Credential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.org→Malicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.com→FakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.app→Unauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ru→Drive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyz→C2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shop→Affiliate cloaking + cookie stuff// US-CENTRAL--:--:--[HIGH]shop-***-deals.com→Magecart skimmer (Group 7)// US-EAST--:--:--[HIGH]wp-***-blog.net→Drive-by iframe → exploit kit// EU-WEST--:--:--[MEDIUM]cdn-***-helper.io→Obfuscated cryptominer (CoinIMP)// AP-SOUTH--:--:--[HIGH]auth-***-login.co→Credential phishing kit (16shop)// EU-CENTRAL--:--:--[MEDIUM]media-***-files.org→Malicious redirect chain → ClickFix// US-WEST--:--:--[HIGH]support-***-desk.com→FakeUpdates / SocGholish payload// US-EAST--:--:--[LOW]track-***-pixel.app→Unauthorized 3rd-party tracker// EU-NORTH--:--:--[MEDIUM]img-***-host.ru→Drive-by download (TLD reputation)// EU-EAST--:--:--[HIGH]api-***-stats.xyz→C2 beacon (Cobalt Strike profile)// AP-EAST--:--:--[LOW]promo-***-coupon.shop→Affiliate cloaking + cookie stuff// US-CENTRAL

← назад към блога

Engineering2026-06-067 мин. четене

Why We Run Real Browsers, Not Crawlers, to Catch Skimmers

Modern attacks hide from header-only scanners. Here's how our instrumented Chromium fleet executes pages the way a real shopper would — and why that matters.

A header-only crawler sees the HTML the server sends. Modern skimmers do not live there. They are injected by a service worker, decoded from a WASM blob, or lazy-imported only after an anti-bot fingerprint check passes.

To see what a real visitor sees, we run a fleet of fully instrumented Chromium instances. Each one executes JavaScript, accepts cookies, registers service workers, and completes a synthetic interaction such as a checkout flow.

The instrumentation is the point. We record every network initiator, every dynamically inserted script element, and every postMessage between frames. The attacker's payload fires once per realistic session — and because we look like a realistic session, we capture it.

This is also why we resist evasion. Skimmers that check for navigator.webdriver, headless flags, or missing plugins get a browser that answers like a real one. The cost is compute; the benefit is detection that a WAF or DNS filter structurally cannot match.

свързани_статии

Detecting Magecart Skimmers in 2026: What Changed After Group 12

Threat Intelligence

Anatomy of the 'Fake CAPTCHA → ClickFix' Lure