Credit card skimming is becoming more advanced, according to Microsoft security researchers, with threat actors using increasingly advanced tactics to mask their malicious information-stealing malware.
To avoid discovery, skimming gangs hide their code snippets, inject them into image files, and disguise them as famous web programs.
This reduces the efficiency of threat detection software and increases the risk of criminal actors stealing credit card information from internet users.
What exactly is skimming?
Payment card skimming is a web-based attack in which hackers use a weakness in the underlying platform (Magento, PrestaShop, WordPress, etc.) or poor security procedures to inject malicious JavaScript code onto e-commerce websites.When a site visitor arrives at the checkout page and proceeds to enter their credit or debit card information to pay for their order, the code is activated.
The skimmer steals anything typed into the forms on that page and sends it to rogue operators, who subsequently use the information to make online transactions or sell it to others.
According to Microsoft’s experts, three concealment strategies are being used more frequently: injecting scripts into images, string concatenation, and script spoofing.
The malicious image files are uploaded to the target server disguised as favicons in the first scenario. However, they contain a PHP script with base64-encoded JavaScript.
According to new research from Microsoft, “the insertion of the PHP script in an image file is fascinating because, by default, the web server would not run the aforementioned code.”
“…we believe the attacker utilized a PHP include expression to include the picture (containing the PHP code) in the website’s index page, causing it to load automatically on every page visit.”
The script identifies the checkout page, performs a check to rule out the admin user, and then displays a bogus form to valid site visitors.
The attackers load the skimmer from a domain under their control via an implant on the target site, utilizing string concatenation obfuscation.
Because the skimmer isn’t hosted on the targeted platform, the domain is base64 encoded and concatenated from various strings.
The third trend, script spoofing, disguises the skimmers as Google Analytics or Meta Pixel (Facebook Pixel), two popular visitor tracking tools found on practically every website.
Threat actors inject base64-encoded strings into a counterfeit Google Tag Manager code, fooling administrators into thinking it’s part of the website’s usual code and skipping review.The threat actors used the Meta Pixel to imitate some of the plugin’s common parameters while still maintaining the skimmer URL encoded in base64 and divided into numerous strings.Script spoofing, the third trend, disguises the skimmers as Google Analytics or Meta Pixel (Facebook Pixel), two widely used visitor tracking programs found on almost every website.
Threat actors add base64-encoded strings into a fake Google Tag Manager code, deceiving administrators into thinking it’s part of the website’s regular code and allowing them to circumvent the review process.How to defend yourselfThe inclusion of base64-encoded texts and the “atob()” JavaScript function on hacked webpages are common traits among all credit card skimmers.
In addition to active scanning and detection, website managers should make sure their content management system (CMS) and plugins are up to date.From the standpoint of the customer, the only way to minimize the harm caused by skimmers is to use one-time private cards, set strict payment limitations, or use electronic payment methods instead.
