Symantec cybersecurity experts: The malware deployment is preceded by a reconnaissance with the AdFind tool. The victims are large organizations.
Akamai: New skimmer exploits websocket and fake credit card form to steal sensitive data
The skimmer behaviour
According cybersecurity experts, the actual malicious behavior of the skimmer occurs in the application sensitive pages, such as the checkout, login, or new account registration pages. It checks the page URL in order to decide whether it runs on a sensitive page. Once loaded in a sensitive page, the skimmer initiates a WebSocket connection with its C2 server. After that, the cybercrime skimmer registers new event listeners on all the input, form, and button elements in the page. Once fired, the skimmer maps the input field values and exfiltrates them using its opened WebSocket connection to the C2 server.
The new sophisticated mechanisms adopded by the cybercrime actors
Akamai exlained that cybercrime actors implemented some sophisticated mechanisms:
- Data exfiltration using WebSockets. Unlike other skimmers attacks, which mostly exfiltrate the data using XHR requests or HTML tags, this one exfiltrates the users’ sensitive information via WebSockets. Once the skimmer is loaded in the target page, it initializes a WebSocket communication with its C2 server and keeps it open by sending ping sockets in intervals. It tracks the sensitive input fields in the targeted page and sends their values for every change occurring in their content. The usage of WebSockets provides the attacker a better hiding mechanism as the requests that are being sent will be more “silent.” Also, a lot of CSP policies don’t limit WebSockets usage.
- Fake credit card form.Some of the targeted stores don’t handle the payment process by themselves, but use a third-party provider to handle the payment process. In that case, once the user completes filling in his personal information, he is redirected to the third-party vendor in order to provide credit card information and complete the transaction. The skimmer will not be able to inject itself into the third-party vendor to get the end-user credit card information. For this case, it creates a fake credit card form in the page before it is redirected to the third-party vendor. The form even validates the user input and the credit card information and shows the user relevant error messages. Once the user clicks on the fake “Pay” button, the skimmer shows a message that the payment cannot be processed and lets the user continue with the real flow of the application.