Cybersecurity researchers have discovered a large-scale web skimming campaign that has been active since January 2022, targeting several major payment networks, including American Express, Diners Club, Discover, JCB Co., Ltd., Mastercard, and UnionPay.
“Enterprise organizations that are customers of these payment providers are likely to be most affected,” Silent Push said in a report released today.
Digital skimming attacks refer to a category of client-side attacks in which a malicious party compromises a legitimate e-commerce site or payment portal and injects malicious JavaScript code that can covertly collect credit card information and other personal information when an unsuspecting user attempts to make a payment on a checkout page.
These attacks fall under an umbrella term called Magecart. This refers to a coalition of cybercrime groups that initially used Magento software to target e-commerce sites, and later diversified into other products and platforms.
Silent Push said it discovered the campaign after analyzing suspicious domains linked to currently licensed bulletproof hosting provider Stark Industries (and its parent company PQ.Hosting). Stark Industries has since rebranded to THE[.]The hosting, which is managed by Dutch company WorkTitans BV, is a sanctions avoidance measure.
The domain in question, cdn-cookie[.]com was found to host highly obfuscated JavaScript payloads (e.g. “recorder.js” or “tab-gtm.js”) that are loaded by web shops to facilitate credit card skimming.
Skimmers have the ability to evade detection by site administrators. Specifically, it checks the Document Object Model (DOM) tree for an element named “wpadminbar.” This is a reference to the toolbar that appears on a WordPress website when a logged in administrator or user with appropriate permissions is viewing the WordPress website.
If the “wpadminbar” element is present, the skimmer initiates a self-destruct sequence and removes its presence from the web page. The skimmer attempts to run every time the web page’s DOM changes. This is standard behavior that occurs when a user interacts with a page.
That’s not all. The skimmer also checks if Stripe is selected as a payment option. If selected, an element called “wc_cart_hash” exists in the browser’s localStorage. Create this element and set it to “true” to indicate that the victim has already been successfully skimmed.
Without this flag, skimmers render a fake Stripe payment form that replaces the legitimate form through user interface manipulation, tricking victims into entering their credit card number, expiration date, and card verification code (CVC) number.
“Because the victim entered their credit card information into the fake form instead of the actual Stripe payment form, the payment page displays an error because it was hidden by the skimmer when it was first entered,” Silent Push said. “This makes it appear as if the victim simply entered their payment information incorrectly.”
The data stolen by skimmers goes beyond payment details, including names, phone numbers, email addresses, and shipping addresses. The information is ultimately extracted via an HTTP POST request to the server “lasorie”.[.]com”
Once the data submission is complete, the skimmer erases its traces from the checkout page, removes the created fake payment form, and restores the legitimate Stripe input form. It then sets “wc_cart_hash” to “true” to prevent the skimmer from running against the same victim again.
“This attacker has advanced knowledge of WordPress internals and has incorporated even lesser-known features into his attack chain,” Silent Push said.
Source link
