skip to Main Content

Cybercrime, new skimmer exploits websocket and fake credit card form

Akamai: New skimmer exploits websocket and fake credit card form to steal sensitive data

New skimmer attack targeting various online e-commerce sites built with different frameworks, exploits websockets and a fake credit card. It has been discovered by Akamai cybersecurity experts. Cybercrime actors created a fake credit card form and injects it into the application’s checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path. The skimmer injects a loader into the page source. Once executed, a malicious JavaScript file is requested from the skimmer’s command and control (C2) server. When the external script is loaded, the skimmer stores in the browser’s LocalStorage its generated session-id and the client IP address. Moreover, the skimmer uses a Cloudflare API in order to get the end-user IP address.

The skimmer behaviour

According cybersecurity experts, the actual malicious behavior of the skimmer occurs in the application sensitive pages, such as the checkout, login, or new account registration pages. It checks the page URL in order to decide whether it runs on a sensitive page. Once loaded in a sensitive page, the skimmer initiates a WebSocket connection with its C2 server. After that, the cybercrime skimmer registers new event listeners on all the input, form, and button elements in the page. Once fired, the skimmer maps the input field values and exfiltrates them using its opened WebSocket connection to the C2 server.

The new sophisticated mechanisms adopded by the cybercrime actors

Akamai exlained that cybercrime actors implemented some sophisticated mechanisms:

  • Data exfiltration using WebSockets. Unlike other skimmers attacks, which mostly exfiltrate the data using XHR requests or HTML tags, this one exfiltrates the users’ sensitive information via WebSockets. Once the skimmer is loaded in the target page, it initializes a WebSocket communication with its C2 server and keeps it open by sending ping sockets in intervals. It tracks the sensitive input fields in the targeted page and sends their values for every change occurring in their content. The usage of WebSockets provides the attacker a better hiding mechanism as the requests that are being sent will be more “silent.” Also, a lot of CSP policies don’t limit WebSockets usage.
  • Fake credit card form.Some of the targeted stores don’t handle the payment process by themselves, but use a third-party provider to handle the payment process. In that case, once the user completes filling in his personal information, he is redirected to the third-party vendor in order to provide credit card information and complete the transaction. The skimmer will not be able to inject itself into the third-party vendor to get the end-user credit card information. For this case, it creates a fake credit card form in the page before it is redirected to the third-party vendor. The form even validates the user input and the credit card information and shows the user relevant error messages. Once the user clicks on the fake “Pay” button, the skimmer shows a message that the payment cannot be processed and lets the user continue with the real flow of the application.


Back To Top