Security researchers have shared info on a new skimmer attack, which exhibits a level of sophistication rarely seen in such campaigns. The new attack detected by Akamai targets various online e-commerce sites built with different frameworks using an alternative technique involving WebSockets to exfiltrate payment information fr om payment cards.
“Online stores are increasingly outsourcing their payment processes to third-party vendors, which means that they don't handle credit card data inside their store. To overcome this, the attacker creates a fake credit card form and injects it into the application's checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path,” Akamai said.
Hackers use a software skimmer to inject a loader into the page source as an inline script, which fetches a malicious JavaScript file from the attackers’ command and control server. Once the external script is loaded, the skimmer stores in the browser's LocalStorage its generated session-id and the client IP address. Those parameters are sent as part of the data exfiltration later in the session.
In order to obtain the end-user IP address the skimmer uses a Cloudflare API, Akamai said.
The use of WebSockets is notable because typically skimmer attacks exfiltrate data using XHR requests or HTML tags. Once the skimmer is loaded in the target page, it initializes a WebSocket communication with its command and control server and keeps it open by sending ping sockets in intervals. The skimmer tracks the sensitive input fields in the targeted page and sends their values for every change occurring in their content.
“The usage of WebSockets provides the attacker a better hiding mechanism as the requests that are being sent will be more "silent." Also, a lot of CSP policies don't lim it WebSockets usage,” the researchers explained.
Since many e-commerce sites outsource their payment processes to third-party vendors, the skimmer creates a fake credit card form in the page before it is redirected to the third-party vendor, which allows it to steal users’ credit card information.
“The form even validates the user input and the credit card information and shows the user relevant error messages. Once the user clicks on the fake "Pay" button, the skimmer shows a message that the payment cannot be processed and lets the user continue with the real flow of the application,” the researchers noted.