The careful design of this attack chain enables persistent access without requiring elevated privileges, allowing the attackers to maintain long-term access to victims’ browsers and financial information. When payment details are detected, the malicious code appends the unique marker “Rol@and4You” to the stolen data and exfiltrates it to remote servers through hidden elements in the page. A sophisticated new credit card skimming operation dubbed “RolandSkimmer” has emerged, targeting users primarily in Bulgaria through malicious browser extensions. “This represents an alarming trend in financial theft malware,” noted FortiGuard Labs in their recent analysis, highlighting the threat’s sophisticated evasion mechanisms and cross-browser capabilities. These servers deliver malicious payloads and serve as collection points for stolen financial data, with each victim assigned a unique tracking identifier to monitor their activity across browsing sessions. These extensions request extensive permissions including the ability to read all web content, modify network requests, and access browsing data, enabling comprehensive monitoring of victims’ online activities. Named after the unique string “Rol@and4You” embedded in its payload, this attack represents a concerning evolution in web-based financial theft techniques. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Unlike traditional skimmers that target e-commerce websites directly, RolandSkimmer focuses on compromising the browsers themselves, creating a persistent threat that follows users across multiple websites. The initial infection process begins when users extract and click the malicious LNK file, which executes a heavily obfuscated script chain. The malware systematically harvests sensitive payment information from victims while maintaining persistent access to their systems through compromised web browsers. What makes RolandSkimmer particularly dangerous is its multi-browser approach, simultaneously targeting Google Chrome, Microsoft Edge, and Mozilla Firefox through tailored malicious extensions. Fortinet researchers identified the campaign in March 2025, documenting how the malware establishes persistence by creating hidden folders and modifying browser shortcuts. Security researchers have identified a critical vulnerability in Ivanti Connect Secure (ICS) VPN appliances that is being actively exploited by suspected Chinese threat actors. Once executed, this LNK file initiates a complex chain of obfuscated scripts that establish covert access to the victim’s system. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attack begins with a deceptive ZIP file named “faktura_3716804.zip” containing a seemingly innocuous shortcut file. The malware then performs system reconnaissance to gather environment details, including checking for installed browsers and hardware specifications. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The extension’s background scripts monitor form submissions across all websites, specifically targeting credit card numbers.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Apr 2025 09:00:11 +0000