16 November 2020

New skimmer attack uses WebSockets and a fake credit card form to steal data


New skimmer attack uses WebSockets and a fake credit card form to steal data

Security researchers have shared info on a new skimmer attack, which exhibits a level of sophistication rarely seen in such campaigns. The new attack detected by Akamai targets various online e-commerce sites built with different frameworks using an alternative technique involving WebSockets to exfiltrate payment information fr om payment cards.

“Online stores are increasingly outsourcing their payment processes to third-party vendors, which means that they don't handle credit card data inside their store. To overcome this, the attacker creates a fake credit card form and injects it into the application's checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path,” Akamai said.

Hackers use a software skimmer to inject a loader into the page source as an inline script, which fetches a malicious JavaScript file from the attackers’ command and control server. Once the external script is loaded, the skimmer stores in the browser's LocalStorage its generated session-id and the client IP address. Those parameters are sent as part of the data exfiltration later in the session.

In order to obtain the end-user IP address the skimmer uses a Cloudflare API, Akamai said.

The use of WebSockets is notable because typically skimmer attacks exfiltrate data using XHR requests or HTML tags. Once the skimmer is loaded in the target page, it initializes a WebSocket communication with its command and control server and keeps it open by sending ping sockets in intervals. The skimmer tracks the sensitive input fields in the targeted page and sends their values for every change occurring in their content.

“The usage of WebSockets provides the attacker a better hiding mechanism as the requests that are being sent will be more "silent." Also, a lot of CSP policies don't lim it WebSockets usage,” the researchers explained.

Since many e-commerce sites outsource their payment processes to third-party vendors, the skimmer creates a fake credit card form in the page before it is redirected to the third-party vendor, which allows it to steal users’ credit card information.

“The form even validates the user input and the credit card information and shows the user relevant error messages. Once the user clicks on the fake "Pay" button, the skimmer shows a message that the payment cannot be processed and lets the user continue with the real flow of the application,” the researchers noted.

Back to the list

Latest Posts

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020
Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

In the latest campaign the treat actor was observed using updated toolset in order to evade detection.
25 November 2020