Online card skimming, which abuses the code that runs checkout features on eCommerce websites, has been a problem for years. Arguably, it has been overshadowed by ransomware’s meteoric rise to popularity amongst the financially motivated cybercriminal underground, card skimming has still posed a genuine financial threat to both clients and owners of eCommerce platforms. Now, Microsoft has released new research showing that card skimming has reached a new stealthier level in its evolution cycle.
Sometimes these attacks are also referred to as Magecart, after one threat actor group by the same name specializing in this form of cyberattack, along with the more traditional term of card skimming.
The latter is also used for an attack where the physical card of a person has the information skimmed off it using a specialized tool, whereas Magecart is used for attacks targeting web stores.
The code then copies the credit card data entered by the customers and sent to the hacker’s command and control server. These details can either be sold on to other parties or used to commit several other types of fraud.
Now, the Microsoft 365 Defender Research Team observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts.
Researchers noted that these newer attack techniques have resulted in very few VirusTotal detections. As for the new techniques, researchers said,
Malicious Images and Obfuscated Script
In the first instance, the malicious image was a favicon, an URL image often used as an icon in the webpage's title that comes up in the tab before the website's name. The second discovered image was just a web image typically used in website development.
Not only was the use of malicious images to hide malicious code different from traditional card skimming tactics, but the main delivery method also differed.
In the past, many of these attacks relied on injecting code into the client-side part of the website, that being the part of the website typically called the front end that the user sees. In the instances seen by researchers, code was injected into the server-side portion of the website, or back-end.
This enables the attacker to bypass conventional browser protections like Content Security Policy (CSP), which prevents the loading of any external scripts.
It is believed that the more recent image file discovered was uploaded to the /media/wysiwyg/ directory, most likely by leveraging a vulnerability in the Magento Content Management System (CMS).
Spoofing Google Analytics and Meta Pixel
Researchers also noted that attackers were looking to spoof Google Analytics and Meta Pixel, formerly Facebook Pixel, to attempt to hide malicious code. Regarding Google Analytics the code injected is made to look like Google’s Tag Manager which is code used by Google to generate website analytics for website owners.
However, the code when analyzed revealed to be malicious code with card skimming capabilities. Regarding the spoofing of Meta Pixel, researchers noted,
Microsoft accurately pointed out that business owners whose websites are compromised by a web skimming attack, be it using the methods discussed above or the more traditional code injection methods, are likely to suffer reputational damage as well as financial damage.
It was also noted that given the more evasive evolution of the problem organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches.
It must also be stressed that updates should only be downloaded from trusted sources, generally from the vendor. Regular and thorough checkups of web assets need to be done for compromised or suspicious content to help prevent them from falling foul of such an attack.