Researcher Spots New Tricks in Web Payment Card SkimmersCybercriminals Turn to Steganography, WebSocket Connections
E-commerce sites have been under siege from cybercriminals who seek to sneak malicious code into checkout processes. A researcher has found two new methods that payment card number thieves are using to try to stay under the radar.
See Also: Global Fraud Index
The attackers are sometimes referred to as Magecart, a name for a slew of groups that steal payment card numbers. These attackers often capitalize on vulnerabilities in e-commerce software or other security mistakes that allow for the injection of malicious Javacript, dubbed sniffers or skimmers (see: Magecart Cybercrime Groups Harvest Payment Card Data).
One of those newly employed methods is steganography, which involves hiding code in something that appears to be benign, such as an image file.
A Twitter user, @affablekraut, recently disclosed the discovery of a credit card skimmer disguised as an image, writes Jerome Segura, director of threat intelligence at Malwarebytes.
"To the naked eye, the image looks like a typical free shipping ribbon that you commonly see on shopping sites," Segura writes in a blog post.
WebSocket: Covert Data Stealing
The second new method - also found by @affablekraut - involves using the WebSocket protocol for communication rather than HTTP, Segura writes.
"While WebSockets are advantageous for real-time data transfer, this is not the reason threat actors may be interested in them," he writes. "For their particular use case, WebSockets provide a more covert way to exchange data than typical HTTP requests-responses."
"The techniques described in this blog will no doubt cause headaches for defenders and give some threat actors additional time to carry on their activities without being disturbed," Segura writes. "But as mentioned before, this kind of cat-and-mouse game was to be expected in the light of regular new publications on Magecart and web skimmers."
@Affablekraut tweets that the best way to defeat a websocket skimmer is to adjust the connect-src setting within the Content Security Policy, or CSP, for a web page. That feature can be used to restrict which URLs can be loaded using script interfaces.
Also, not trying to hide anything but I did obscure the affected store. If you have a need to see this live, DM me.— Affable Kraut (@AffableKraut) December 17, 2019
The method to stop this attack: CSP. The connect-src setting in CSPs governs what websockets can connect to. So review your CSPs!
Magecart: Never Gives Up
Magecart is believed to encompass as many as 12 criminal groups. The attackers steal payment card data and then sell it on dark web marketplaces for other criminals to exploit. Experts believe hundreds of thousands of websites have been infected (see: Magecart Nightmare Besets E-Commerce Websites).
Over the last few years, Magecart has struck big-name companies, including British Airways, Newegg and Ticketmaster. The infection of British Airways led to one of the most significant enforcement actions against a company under Europe's General Data Protection Regulation.
Britain's Information Commissioner's Office said in July it intended to fine British Airways £184 million ($240 million) under GDPR. In the attack, the personal data of 500,000 customers was exposed as a result of what the ICO said were poor security practices (see: British Airways Faces Record-Setting $230 Million GDPR Fine).