Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Researcher Spots New Tricks in Web Payment Card Skimmers

Cybercriminals Turn to Steganography, WebSocket Connections
Researcher Spots New Tricks in Web Payment Card Skimmers

E-commerce sites have been under siege from cybercriminals who seek to sneak malicious code into checkout processes. A researcher has found two new methods that payment card number thieves are using to try to stay under the radar.

See Also: Check Kiting In The Digital Age

The attackers are sometimes referred to as Magecart, a name for a slew of groups that steal payment card numbers. These attackers often capitalize on vulnerabilities in e-commerce software or other security mistakes that allow for the injection of malicious Javacript, dubbed sniffers or skimmers (see: Magecart Cybercrime Groups Harvest Payment Card Data).

One of those newly employed methods is steganography, which involves hiding code in something that appears to be benign, such as an image file.

A Twitter user, @affablekraut, recently disclosed the discovery of a credit card skimmer disguised as an image, writes Jerome Segura, director of threat intelligence at Malwarebytes.

“To the naked eye, the image looks like a typical free shipping ribbon that you commonly see on shopping sites,” Segura writes in a blog post.

An image that contained skimming code (Source: Malwarebytes)

@Affablekraut tweets that the malicious image was discovered using Strelka, a container-based file scanning tool that grew out of Lockheed Martin’s Laika Boss scanner.

The malicious JavaScript is appended at the end of the image file, Segura writes. The image gets loaded, then the JavaScript is parsed using the slice() method. The malicious code is visible in a hex editor.

There’s a big advantage to using steganography, Segura writes. “As it happens, the majority of web crawlers and scanners will concentrate on HTML and JavaScript files, and often ignore media files, which tend to be large and slow down processing. What better place to sneak in some code?”

WebSocket: Covert Data Stealing

The second new method – also found by @affablekraut - involves using the WebSocket protocol for communication rather than HTTP, Segura writes.

“While WebSockets are advantageous for real-time data transfer, this is not the reason threat actors may be interested in them,” he writes. “For their particular use case, WebSockets provide a more covert way to exchange data than typical HTTP requests-responses.”

The aim is to keep a channel open with a remote server that’s difficult to detect. Segura writes that once a WebSocket connection has been made, a Base64 encoded blurb is pushed to the client, which is then processed as JavaScript and represents the skimming code. Then, the data is exfiltrated.

“The techniques described in this blog will no doubt cause headaches for defenders and give some threat actors additional time to carry on their activities without being disturbed,” Segura writes. “But as mentioned before, this kind of cat-and-mouse game was to be expected in the light of regular new publications on Magecart and web skimmers.”

@Affablekraut tweets that the best way to defeat a websocket skimmer is to adjust the connect-src setting within the Content Security Policy, or CSP, for a web page. That feature can be used to restrict which URLs can be loaded using script interfaces.

Magecart: Never Gives Up

Magecart is believed to encompass as many as 12 criminal groups. The attackers steal payment card data and then sell it on dark web marketplaces for other criminals to exploit. Experts believe hundreds of thousands of websites have been infected (see: Magecart Nightmare Besets E-Commerce Websites).

Over the last few years, Magecart has struck big-name companies, including British Airways, Newegg and Ticketmaster. The infection of British Airways led to one of the most significant enforcement actions against a company under Europe’s General Data Protection Regulation.

Britain's Information Commissioner's Office said in July it intended to fine British Airways £184 million ($240 million) under GDPR. In the attack, the personal data of 500,000 customers was exposed as a result of what the ICO said were poor security practices (see: British Airways Faces Record-Setting $230 Million GDPR Fine).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.