3 September 2020

Magecart groups use Telegram to steal credit card data


Magecart groups use Telegram to steal credit card data

Security researchers noticed a new twist in tactics used by cybercriminals affiliated with Magecart operations - cyber attacks aimed at stealing credit-card data from online shoppers. Hackers are now using encrypted messaging service Telegram as a means for sending stolen credit-card information back to their command-and-control (C2) servers.

The new method was highlighted by security researcher going by the name Affable Kraut, who discovered a credit card skimmer that used Telegram to exfiltrate data. According to the researcher, the malicious JavaScript collects data from any type of input field (billing, payment, credit-card number, expiration, and CVV) and sends the information encrypted using a public key to a private Telegram channel.

As the researcher noted, while this method is effective in terms of data exfiltration, it is not a very reliable technique, seeing as anyone with the token for the Telegram bot can hijack the process.

“Telegram isn't setup to do this type of thing properly, you have to grant publicly accessible code too much power. And, like many other digital skimming/#magecart techniques, this can be preemptively defeated via a Content Security Policy,” the researcher said an a tweet.

According to Jérôme Segura of Malwarebytes, who has also analyzed the skimmer code, the skimmer’s author encoded the bot ID and channel, as well as the Telegram API request with simple Base64 encoding to hide them.

“The exfiltration is triggered only if the browser’s current URL contains a keyword indicative of a shopping site and when the user validates the purchase. At this point, the browser will send the payment details to both the legitimate payment processor and the cybercriminals,” Segura explained.

This data exfiltration mechanism, the researcher noted, is efficient and doesn’t require cybercriminals to keep up infrastructure that could be taken down or blocked by defenders.

“They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets,” he added.


Back to the list

Latest Posts

Palmerworm cyber-spies hide in compromised networks for months

Palmerworm cyber-spies hide in compromised networks for months

A new espionage campaign targets companies in Japan, Taiwan, the U.S., and China.
30 September 2020
Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020