Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime
Fraudsters Use Telegram App to Steal Payment Card Data
Malwarebytes: New Method Eases Theft of Information From Ecommerce SitesSome fraudsters are now using the encrypted instant messaging app Telegram as a fast and easy way to steal payment card data from ecommerce sites, according to an analysis from Malwarebytes.
See Also: Mobile Apps are the New Endpoint
Researchers found hackers are using simple Base64 encoding strings in conjunction with a bot that is sweeping up the payment card information. The bot includes code that accesses Telegram to remove the payment card data. Base64 enables the payment card data to be taken without security tools picking up the theft, according to Malwarebytes.
While other cybercriminals have previously used Telegram to distribute malware and steal data - Juniper Threats Labs chronicled one group's ability to deliver a Trojan this way in September 2019 - hackers only recently have attempted to skim payment card data from ecommerce sites using Telegram, Jerome Segura, director of threat intelligence at Malwarebytes, notes in the report.
"For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders," Segura says. "They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets."
Segura notes in the report that security researcher "AffableKraut" first took notice of the use of Telegram to skim payment card data in August and posted about it on Twitter.
Malicious JavaScript
The Malwarebytes report notes that the theft of the payment card information typically starts with hackers planting malicious JavaScript code on ecommerce sites to collect customers’ payment information.
From there, the code uses a debugging feature to avoid detection and begins to copy victims' payment card data, such as billing and payment information, card number, expiration date and CVV code from the various checkout fields, according to the report.
In the majority of skimming attacks, which do not leverage Telegram, the payment card data is stored within a domain or file controlled by the attackers and then exfiltrated using a command-and-control infrastructure that communicates with the JavaScript code. But the attacks leveraging Telegram use encryption in conjunction with a Telegram channel to create a faster and more efficient exfiltration process.
"The exfiltration is triggered only if the browser’s current URL contains a keyword indicative of a shopping site and when the user validates the purchase," Segura notes in the report.
When a shopper enters payment information on an ecommerce site, that information is transferred to a payment processor, as usual, but a copy is sent to the fraudsters, according to the report.
By using Telegram, hackers don't have to take the time to set up a command-and-control infrastructure and can quickly collect the payment card data and use it to purchase goods or sell it on underground forums, the report states. This method also helps fraudsters avoid detection.
Blocking this type of attack is difficult, Segura notes. While ecommerce companies can cut access to Telegram channels on the network level, the cybercriminals can then switch to another type of secure platform to help with the skimming.
Magecart Activity
Javascript skimming attacks are usually associated with Magecart, an umbrella description for separate groups of cybercriminals that use JavaScript skimmers to steal payment and credit card data from customers of ecommerce sites (see: Magecart Group Hits Small Businesses With Updated Skimmer).
In another report released this week, security firm Group-IB described the activities of a criminal hacking group called "UltraRank," which has been skimming credit card data for nearly five years and then selling that data on its own carding market. The analysts found that many attacks attributed to various Magecart groups over the years were actually the work of these hackers (see: 'UltraRank' Gang Sells Card Data It Steals).