Since January 2022, cybersecurity researchers have discovered an ongoing web skimming operation targeting businesses associated with some of the largest global payment networks, such as American Express, Visa, MasterCard, Discover, Diners Club, JCB, UnionPay, and many others.
Research by SilentPush indicates that enterprise-level businesses using these payment processors are most often the targets of such attacks; instead of attacking the payment processors directly, cybercriminals are breaking into the e-commerce and payment sites that are using these services.
What is Web Skimming?
Web skimming is a term used to describe a type of cyberattack (similar to Magecart-style attacks) that takes advantage of e-commerce websites by injecting malicious JavaScript code into the checkout pages of e-commerce websites, allowing the attacker to collect credit card numbers and personally identifiable information as they are being placed into the checkout process.
Attackers in this large-scale operation used hosting infrastructure where Stark Industries had been located prior to its sanctions and, later, the company changed its name to THE[.]Hosting, which has been the target of law enforcement actions. Attackers also were using the domain cdn-cookie[.]com to host malicious JavaScript skimmer files that were heavily obscured (obfuscated). Examples of these files include recorder.js and tab-gtm.js; these files are dynamically loaded into compromised e-commerce websites.
Smart Evasion and Self-Destruct
The skimmer uses advanced evasion techniques to evade site administrator discovery:
1. It will check the DOM for an indication of the WordPress Admin Toolbar (For logged in users) via the presence of the class ‘wpadminbar’.
2. If the ‘wpadminbar’ has been detected, the skimmer will destroy itself and remove all traces of it from the page.
3. The skimmer will continually try to execute if the DOM changes during the user’s activities.
Fake Stripe Checkout Scams
Scammers using Stripe as a payment processing service have to work a bit harder than usual to collect sensitive information from prospective clients due to the fact that there are often several safeguards in place.
Therefore, if an individual has not yet been targeted by a scammer, the skimmer performs the following actions:
1. Shows no indication of the original Stripe Payment Form
2. Injects a fake Stripe checkout interface
3. Collects the card number, expiration date, and CVC code from the victim.
After completing the transaction, the victim receives an error message indicating that the payment was unsuccessful, therefore leading them to believe that the payment failed due to incorrect payment information. Once the data is stolen from the victim, the malware sets the browser's localStorage attribute (wc_cart_hash) to prevent the victim from being skimmed again.
Data Exfiltration and Data Cleanup
The skimmer not only captures payment card information; it also captures and exfiltrates the following personal data:
1. FULL NAMES
2. EMAIL ADDRESSES
3. PHONE NUMBERS
4. SHIPPING ADDRESSES
To exfiltrate this data, the skimmer sends an HTTP POST request to lasorie[.]com. Once successfully transmitted, the skimmer returns the original checkout form and wipes its traces of the skimming activity, making it difficult to identify the source of the breach through forensic analysis.
Why This Attack is Important
Silent Push notes that the attacker involved in this operation has a strong understanding of how WordPress operates internally; they are using various obscure features within the platform in order to hide their activity from site owners. "This attacker is highly knowledgeable regarding the inner workings of WordPress; they are using these lesser-known features throughout their attack chain," said Silent Push.
The extended duration of this attack, which has gone undetected for several years, suggests a growing vulnerability of all online payment systems to client-side supply chain attacks.
Source: The Hacker News