New skimmer attack uses WebSockets to evade detection

Experts spotted a new skimmer attack that used an alternative technique to exfiltrate payment information from payment cards.

Researchers from Akamai discovered a new skimmer attack that is targeting several e-stores with a new technique to exfiltrate data.

Threat actors are using fake credit card forum and WebSockets to steal the financial and personal information of the users.

“Online stores are increasingly outsourcing their payment processes to third-party vendors, which means that they don’t handle credit card data inside their store. To overcome this, the attacker creates a fake credit card form and injects it into the application’s checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path.” reads the post published by Akamai.

Hackers use a software skimmer to inject a loader into the page source as an inline script. Once executed, a malicious JavaScript file is requested from the a C2 server (at https[:]//tags-manager[.]com/gtags/script2).

Upon loading the script from the external server, the skimmer stores in the browser’s LocalStorage its generated session-id and the client IP address.

Attackers leverage Cloudflare’s API to obtain the user’s IP address, then use a WebSocket connection to exfiltrate sensitive information from pages involving the checkout, login, and new account registration pages.

The distinctive aspect of this attack is the use of WebSockets, instead of HTML tags or XHR requests, to extract the information from the compromised site that makes this technique more stealth. The use of WebSockets allows bypassing a lot of CSP policies.

Experts noticed that for those e-stores that handle the payment process through a third-party provider, the skimmer creates a fake credit card form in the page before it is redirected to the third-party vendor.

“Akamai sees new and subtly modified web application client-side attacks, such as this example, on nearly a weekly basis. Given the obfuscated nature and supply chain origination of in-browser attacks, traditional CSP-reliant approaches miss most of these types of attacks.” concludes the company.

“Our security portfolio has embraced and invested in bringing to market a web skimming protection product called Page Integrity Manager, which focuses on the script execution behavior with unprecedented visibility into the runtime environment. It collects information about the different scripts that run in the web page, each action they take, and their relation to other scripts in the page. Pairing this data with our multilayered detection approach — leveraging heuristics, risk scoring, AI, and other factors — allows Page Integrity Manager to detect different types of client-side attacks, with a high focus on data exfiltration and web skimming attacks.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, web skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.