16 November 2020

New skimmer attack uses WebSockets and a fake credit card form to steal data


New skimmer attack uses WebSockets and a fake credit card form to steal data

Security researchers have shared info on a new skimmer attack, which exhibits a level of sophistication rarely seen in such campaigns. The new attack detected by Akamai targets various online e-commerce sites built with different frameworks using an alternative technique involving WebSockets to exfiltrate payment information fr om payment cards.

“Online stores are increasingly outsourcing their payment processes to third-party vendors, which means that they don't handle credit card data inside their store. To overcome this, the attacker creates a fake credit card form and injects it into the application's checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path,” Akamai said.

Hackers use a software skimmer to inject a loader into the page source as an inline script, which fetches a malicious JavaScript file from the attackers’ command and control server. Once the external script is loaded, the skimmer stores in the browser's LocalStorage its generated session-id and the client IP address. Those parameters are sent as part of the data exfiltration later in the session.

In order to obtain the end-user IP address the skimmer uses a Cloudflare API, Akamai said.

The use of WebSockets is notable because typically skimmer attacks exfiltrate data using XHR requests or HTML tags. Once the skimmer is loaded in the target page, it initializes a WebSocket communication with its command and control server and keeps it open by sending ping sockets in intervals. The skimmer tracks the sensitive input fields in the targeted page and sends their values for every change occurring in their content.

“The usage of WebSockets provides the attacker a better hiding mechanism as the requests that are being sent will be more "silent." Also, a lot of CSP policies don't lim it WebSockets usage,” the researchers explained.

Since many e-commerce sites outsource their payment processes to third-party vendors, the skimmer creates a fake credit card form in the page before it is redirected to the third-party vendor, which allows it to steal users’ credit card information.

“The form even validates the user input and the credit card information and shows the user relevant error messages. Once the user clicks on the fake "Pay" button, the skimmer shows a message that the payment cannot be processed and lets the user continue with the real flow of the application,” the researchers noted.

Back to the list

Latest Posts

Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024