New Web Skimmer Campaign Exploits Legitimate Sites for Data Theft
Cybersecurity experts have recently discovered an ongoing campaign of web skimmers in the Magecart style intended to steal credit card information and personally identifiable information (PII) from e-commerce websites. The distinctive feature of this campaign is the use of “makeshift” command-and-control (C2) servers, which allow the spread of malicious malware without the awareness of the victim sites.
The web security company Akamai has discovered victims of varied sizes across North America, Latin America, and Europe, potentially exposing the personal information of thousands of site visitors to criminals looking to make money illegally.
Attackers employ a number of evasion techniques during the campaign, including obfuscating [using] Base64 and masking the attack to resemble popular third-party services, such as Google Analytics or Google Tag Manager.
Roman Lvovsky, Akamai Security Researcher
Instead of using vulnerable legitimate websites to host web skimmer code like typical Magecart efforts, this assault uses the trustworthy reputation of valid domains. Attackers covertly implant their code into small- to medium-sized retail websites via vulnerabilities or other methods, thereby converting the compromised sites into malware distribution hubs.
The campaign employs more covert measures to avoid detection. One such technique is to disguise the skimmer code as well-known third-party services, such as Google Tag Manager or Facebook Pixel, in order to hide its true purpose. Additionally, JavaScript code fragments serve as loaders, obtaining the entire attack code from the victim website serving as the host. With this strategy, the likelihood of discovery is decreased and the footprint is minimized.
Our Readers ALSO READ
Critical Vulnerabilities Found in PrinterLogic’s Enterprise
The two separate versions of the obfuscated skimmer code are designed to intercept and exfiltrate credit card numbers and personally identifiable information (PII) as encoded strings across HTTP requests to actor-controlled servers. Importantly, the code is made to only leak data once per user during checkout in order to reduce suspicious network traffic, which gives this Magecart-style attack an added degree of evasiveness.
Therefore, two different types of victims result from these attacks: the susceptible e-commerce websites that the skimmers target and the legal websites that have been hacked into malware distribution hubs. In some circumstances, websites not only experience data theft but also unintentionally act as carriers of malware to other vulnerable websites.
Exploiting platforms like Magento, WooCommerce, WordPress, and Shopify show how adaptable the attackers’ techniques are. This underlines the requirement for tighter security measures and illustrates the widening breadth of risks across digital commerce platforms. This strategy generates a smokescreen that makes it difficult to detect and respond to such assaults by using the established trust and reputation of compromised websites.
Web skimmer attacks are always evolving and becoming more sophisticated, thus e-commerce companies must prioritize cybersecurity and implement strong security measures to protect their customer’s sensitive data. A successful attack can have serious consequences, including monetary loss, reputational harm, and loss of client trust.
Found this Article insightful? Follow our LinkedIn, Facebook, and Twitter handles for more exclusive content like this daily.
