Pablo
Member
Compare CrdPro vs Grelos skimmers. Analyze websocket exfiltration, base64 obfuscation, and Magecart detection techniques in 2026.
Written By:
Anonymous Trusted & Verified Researcher
Verified Security Researcher & Senior Analyst,
I am Anonymous, a dedicated analyst for the community. With over a decade of experience monitoring the underground economy, I focus on the technical evolution of the modern carding forum. My mission is to bridge the gap between theory and practice for professional carders and security researchers.
Technical Characteristics:
Technical Characteristics:
code JavaScript
downloadcontent_copy
expand_less
Code:
code JavaScript
downloadcontent_copy
expand_less
Code:
Grelos (The "Image" Trick):
Grelos constructs a fake image request.
GET /images/social.png?params=c2VjcmV0X2RhdGE=
CrdPro opens a socket: wss://socket-analytics.com
1. Behavioral Monitoring
Instead of looking for bad code, look for bad behavior.
As always, the strongest defense is a strict CSP.
If you set: connect-src 'self' https://api.stripe.com
Then even if CrdPro tries to open a WebSocket to wss://hacker.com, the browser will refuse the connection.
3. Script Integrity (Subresource Integrity - SRI)
Ensure that your legitimate scripts (like jQuery) haven't been modified. SRI checks the hash of the file. If CrdPro appends code to it, the hash changes, and the browser blocks the file.
A: It is very difficult. You usually need to run the code in a "Sandbox" environment and use a Debugger to catch the payload after it decrypts itself in memory.
Q: Does 2FA stop skimming?
A: No. Skimming happens before the checkout is complete. The attacker steals the card number. 3D Secure (2FA) stops the transaction, but the data is already stolen. (See: Zelle Carding Myths).
Q: Are these tools sold publicly?
A: Grelos code has been leaked on many forums. CrdPro is typically sold as "Malware-as-a-Service" (MaaS) where the developer takes a cut of the stolen data.
References & Authorities:
Community Discussion:
Malware Analysts: Have you encountered the favicon.ico payload in your logs? Share the hash of the file below (do not share the live link) so we can update our threat intelligence feeds.
CrdPro vs Grelos: Digital Skimmer Code Analysis
Written By:
Anonymous Trusted & Verified Researcher
Verified Security Researcher & Senior Analyst,
I am Anonymous, a dedicated analyst for the community. With over a decade of experience monitoring the underground economy, I focus on the technical evolution of the modern carding forum. My mission is to bridge the gap between theory and practice for professional carders and security researchers.
[CODE COMPARISON] CrdPro vs. "Grelos" Skimmer.
For a broader understanding of how these threats fit into the defensive landscape, please read our Carding Forum Defense & Ethical Research Guide.
In the world of digital skimming (Magecart), not all scripts are created equal. Two dominant infrastructures have emerged: the notorious "Grelos" loader (associated with Magecart Group 12) and the modern, polymorphic "CrdPro" toolset. This thread performs a side-by-side technical comparison of their code structures, obfuscation techniques, and data exfiltration methods. At Carding forum, we dissect the code to understand the evolution of the threat.
The "Grelos" Infrastructure: The Classic Loader
"Grelos" is one of the most widely documented skimming infrastructures in cybersecurity history. It operates primarily as a Loader—a script designed to pull in other malicious codes.Technical Characteristics:
- Domain Reuse: Grelos is famous for reusing domains (e.g., grelos[.]v or lookalikes). This makes it easier to block via blacklists.
- Favicon Steganography:A signature move of Grelos is hiding the malicious payload inside a fake favicon.ico file.
- The website requests a favicon (icon).
- The browser loads the image.
- The Grelos script extracts JavaScript code hidden in the EXIF data or appended to the end of the image file and executes it.
CrdPro: The Polymorphic Evolution
CrdPro represents the next generation of skimming. Unlike Grelos, which relies on a static infrastructure, CrdPro focuses on Polymorphism.Technical Characteristics:
- Unique Builds:Every time the CrdPro script is served to a victim, the variable names and structure change.
- Visitor A sees: var a = 1;
- Visitor B sees: var x_99 = 4 - 3;
- Result: Signature-based antivirus cannot detect it because the "Signature" changes every second.
- WebSockets (WSS): While Grelos typically uses HTTP GET requests, CrdPro utilizes WebSockets. This opens a persistent, bi-directional tunnel between the browser and the Command & Control (C2) server.
- Unique Builds:Every time the CrdPro script is served to a victim, the variable names and structure change.
Code Comparison: Obfuscation Techniques
The primary goal of both scripts is to hide from security analysts. Here is how they differ in execution.Grelos: Base64 & Hex
Grelos typically uses standard encoding.code JavaScript
downloadcontent_copy
expand_less
Code:
Code:
// Grelos Style (Conceptual)[/FONT][/SIZE][/COLOR][/COLOR][/FONT]
[FONT=Segoe UI][COLOR=rgb(20, 20, 20)][COLOR=rgb(65, 168, 95)][SIZE=13px][FONT=Monaco]var payload = atob("dmFyIGNjID0gZG9jdW1lbnQuZ2V0RWxlbWVudH...");
eval(payload);- Weakness: Security tools easily recognize atob and eval functions. If a firewall sees these keywords in a .js file, it blocks them.
CrdPro: Custom Packing & AES
CrdPro avoids standard encoding. It uses custom "Packers" that require a specific key to decrypt.code JavaScript
downloadcontent_copy
expand_less
Code:
Code:
// CrdPro Style (Conceptual)[/FONT][/SIZE][/COLOR][/COLOR][/FONT]
[FONT=Segoe UI][COLOR=rgb(20, 20, 20)][COLOR=rgb(65, 168, 95)][SIZE=13px][FONT=Monaco]var _0x5f9a = ['\x45\x6e\x63\x72\x79\x70\x74', ...];
(function(_0x2d8f05,_0x4b81bb){...})(_0x5f9a, 0x1b3);- Strength: The script looks like legitimate "minified" code (like jQuery). It only decrypts the malicious payload in memory when the user clicks the checkout field.
Exfiltration Methods: Getting the Data Out
Once the credit card data is captured, it must be sent to the attacker.Grelos (The "Image" Trick):
Grelos constructs a fake image request.
GET /images/social.png?params=c2VjcmV0X2RhdGE=
- Defense: Firewalls can block this by inspecting the URL length.
CrdPro opens a socket: wss://socket-analytics.com
- Defense: WebSockets bypass many standard HTTP filters. The data is streamed in binary blobs, not URL text.
- Risk: This allows CrdPro to bypass protections like Apple Pay Tokenization by capturing the data before the token is created by the payment processor.
Table: Grelos vs. CrdPro Technical Specs
| Feature | Grelos Infrastructure | CrdPro Infrastructure |
| Primary Vector | Compromised CMS / Loaders | Supply Chain / Plugin Injection |
| Obfuscation | Base64 / Hex Encoding | Custom Polymorphic Packing |
| Exfiltration | HTTP GET (Fake Images) | WebSockets (WSS) / API Spoofing |
| Persistence | Reuses Domains (High volume) | Uses DGA (Domain Generation) |
| Trigger | On Page Load | On User Input (Typing) |
| Stealth Score | Low (Well known signatures) | High (Dynamic behavior) |
Why They Target Different Victims
The architectural differences dictate the targets.- Grelos is a "Spray and Pray" tool. It is often used on thousands of small, low-security sites. This is why we see it involved in basic schemes like Venmo Fraud Honey-Pots, where volume matters more than precision.
- CrdPro is a "Sniper" tool. Due to its cost and complexity, it is deployed on high-value targets. Operators verify the site traffic first. They avoid "noisy" attacks to ensure longevity.
Defensive Strategy: Heuristics over Signatures
You cannot stop CrdPro with a simple antivirus signature, because the signature changes daily.1. Behavioral Monitoring
Instead of looking for bad code, look for bad behavior.
- Does a script access the input field #cc_number?
- Does a script send data to a domain that was registered today?
As always, the strongest defense is a strict CSP.
If you set: connect-src 'self' https://api.stripe.com
Then even if CrdPro tries to open a WebSocket to wss://hacker.com, the browser will refuse the connection.
3. Script Integrity (Subresource Integrity - SRI)
Ensure that your legitimate scripts (like jQuery) haven't been modified. SRI checks the hash of the file. If CrdPro appends code to it, the hash changes, and the browser blocks the file.
Key Takeaways
- Evolution: Skimmers are moving from static files (Grelos) to dynamic streams (CrdPro).
- Visuals deceive: Looking at the source code is often useless due to packing. You must analyze the network traffic.
- WebSockets are dangerous: Monitor your WebSocket traffic logs; they are a common blind spot for firewalls.
- Patching is key: Both variants rely on Outdated Plugins to enter the system.
FAQ: Skimmer Analysis
Q: Can I decode CrdPro code manually?A: It is very difficult. You usually need to run the code in a "Sandbox" environment and use a Debugger to catch the payload after it decrypts itself in memory.
Q: Does 2FA stop skimming?
A: No. Skimming happens before the checkout is complete. The attacker steals the card number. 3D Secure (2FA) stops the transaction, but the data is already stolen. (See: Zelle Carding Myths).
Q: Are these tools sold publicly?
A: Grelos code has been leaked on many forums. CrdPro is typically sold as "Malware-as-a-Service" (MaaS) where the developer takes a cut of the stolen data.
References & Authorities:
- Krebs on Security - The Geography of Magecart
- RiskIQ (Now Microsoft) - Magecart Group 12 Analysis
- OWASP - Component with Known Vulnerabilities
- Malwarebytes - Inside a Digital Skimmer
- Europol - E-Commerce Skimming Threat Assessment
Community Discussion:Malware Analysts: Have you encountered the favicon.ico payload in your logs? Share the hash of the file below (do not share the live link) so we can update our threat intelligence feeds.