Card Skimming goes into Stealth Mode

Online card skimming, which abuses the code that runs checkout features on eCommerce websites, has been a problem for years. Arguably, it has been overshadowed by ransomware’s meteoric rise to popularity amongst the financially motivated cybercriminal underground, card skimming has still posed a genuine financial threat to both clients and owners of eCommerce platforms. Now, Microsoft has released new research showing that card skimming has reached a new stealthier level in its evolution cycle.

Sometimes these attacks are also referred to as Magecart, after one threat actor group by the same name specializing in this form of cyberattack, along with the more traditional term of card skimming.

The latter is also used for an attack where the physical card of a person has the information skimmed off it using a specialized tool, whereas Magecart is used for attacks targeting web stores.

credit card skimming enters stealth mode

In summary, these attacks involve the attacker injecting code, sometimes as little as 22 lines, into the cart's code. The code, often written in JavaScript is loaded when a customer attempts to checkout.

The code then copies the credit card data entered by the customers and sent to the hacker’s command and control server. These details can either be sold on to other parties or used to commit several other types of fraud.

Now, the Microsoft 365 Defender Research Team observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts.

Researchers noted that these newer attack techniques have resulted in very few VirusTotal detections. As for the new techniques, researchers said,

“In one of the campaigns we’ve observed, attackers obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded inside an image file—a likely attempt to leverage PHP calls when a website’s index page is loaded. Recently, we’ve also seen compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts even had anti-debugging mechanisms, in that they first checked if the browser’s developer tools were open.”

Malicious Images and Obfuscated Script

The first of the new techniques discovered by Microsoft’s researchers involves the attacker uploading malicious image files to a Magento-hosted server. In the two instances discovered by researchers, the images contained a PHP script with a Base64-encoded JavaScript. Both scripts contained exactly the same JavaScript code but had slightly different implementations of the PHP.

In the first instance, the malicious image was a favicon, an URL image often used as an icon in the webpage's title that comes up in the tab before the website's name. The second discovered image was just a web image typically used in website development.

Not only was the use of malicious images to hide malicious code different from traditional card skimming tactics, but the main delivery method also differed.

In the past, many of these attacks relied on injecting code into the client-side part of the website, that being the part of the website typically called the front end that the user sees. In the instances seen by researchers, code was injected into the server-side portion of the website, or back-end.

This enables the attacker to bypass conventional browser protections like Content Security Policy (CSP), which prevents the loading of any external scripts.

It is believed that the more recent image file discovered was uploaded to the /media/wysiwyg/ directory, most likely by leveraging a vulnerability in the Magento Content Management System (CMS).

Spoofing Google Analytics and Meta Pixel

Researchers also noted that attackers were looking to spoof Google Analytics and Meta Pixel, formerly Facebook Pixel, to attempt to hide malicious code. Regarding Google Analytics the code injected is made to look like Google’s Tag Manager which is code used by Google to generate website analytics for website owners.

However, the code when analyzed revealed to be malicious code with card skimming capabilities. Regarding the spoofing of Meta Pixel, researchers noted,

“We also observed a similar technique where the skimming script mimicked Meta Pixel’s function parameters and JavaScript file name to avoid detection. Like the example in the previous section, the URL in this technique was encoded in Base64 and split into several strings. The concatenated string decoded to //sotech[.]fun/identity[.]js, and it contained obfuscated code. Interestingly, the decoded URL also had the query string d=GTM-34PX2SO, which is specific to Google Tag Manager and not Meta Pixel…The attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) hosted on HTTPS to carry out their attacks. All the domains we saw associated with this skimming campaign were registered around the same time via a popular budget hosting provider, as seen in the list below. However, the actual hosting sites were hidden behind Cloudflare’s infrastructure.”

Microsoft accurately pointed out that business owners whose websites are compromised by a web skimming attack, be it using the methods discussed above or the more traditional code injection methods, are likely to suffer reputational damage as well as financial damage.

It was also noted that given the more evasive evolution of the problem organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches.

It must also be stressed that updates should only be downloaded from trusted sources, generally from the vendor. Regular and thorough checkups of web assets need to be done for compromised or suspicious content to help prevent them from falling foul of such an attack.

As for these most recent attacks, researchers noted that similarities were found in malicious code that could further assist in detection and prevention. These similarities included the presence of  Base64-encoded strings such as “checkout” and “onepage” and the presence of the atob() JavaScript function in compromised pages.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal