Search This Blog

Showing posts with label Card Skimming. Show all posts

Microsoft: Credit Card Stealers are Switching Tactics to Conceal the Attack


Attackers are manipulating e-commerce checkout websites and capturing payment card information by utilising picture files with a concealed malicious PHP script. According to Microsoft, card-skimming malware is increasingly employing malicious PHP scripts on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code. 

Card-skimming malware has changed its approach, according to Microsoft threat analysts. Card skimming has been dominated over the past decade by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout pages and transmit malware that grabs and steals payment card information. Injecting JavaScript into front-end processes was very conspicuous, according to Microsoft, because it might have triggered browser defences such as Content Security Policy (CSP), which prevents external scripts from loading. 

By attacking web servers with malicious PHP scripts, attackers discovered a less noisy method. In November 2021, Microsoft discovered two malicious image files on a Magento-hosted server, one of which was a fake browser favicon. Magento is a well-known e-commerce system. The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to only target shoppers, the PHP script only starts after validating via cookies that the web admin is not currently signed-in. 

The PHP script obtained the current page's URL and looked for the keywords "checkout" and "one page," which are linked to Magneto's checkout page. "The insertion of the PHP script in an image file is interesting because, by default, the webserver wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained. 

Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about new examples of card-skimming attackers infecting US business checkout sites with web shells for backdoor remote access to the webserver using malicious PHP. Sucuri discovered that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021. Magecart Group 12 is distributing new web shell malware, according to Malwarebytes, that dynamically loads JavaScript skimming code via server-side requests to online merchants. 

Malwarebytes' Jérôme Segura noted, "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."    

However, dangerous JavaScript is still used to skim cards. Card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (previously Facebook Pixel) scripts, for example, was discovered by Microsoft.

WooCommerce Credit Card Stealer Found Implanted in Fake Images


Card skimming and card details theft is one such sophisticated technique attack that seldom fails. Earlier this week, cybersecurity researchers at Sucuri blog unmasked a malicious campaign where a credit card swiper was injected into WordPress’ wp-settings.php file. The WooCommerce customers reported that images were disappearing from the cart almost as soon as they were uploaded. 

According to researchers, the credit card skimmer was buried deep down into the file titled '../../Maildir/sub.main', and it was easy to miss on a casual review. Scammers usually prefer to deploy malicious content out of the way so it is more difficult to detect. The common tactic employed is to create directories that look like system directories, or to place malware in existing core CPanel or other server directories. 

Upon analyzing the malicious file, researchers uncovered over 150 lines of code that had been obfuscated with str_rot13 and base64. Attackers also used multiple functions to store credit card data concealed in the wp-content/uploads/highend/dyncamic.jpg image file. When decoded, that data revealed not only credit card details submitted to the site, but also admin credentials to the site’s backend. 

Injecting card skimmers into WordPress plugin files is the newest trend, avoiding the heavily watched ‘wp-admin’ and ‘wp-includes’ core folders, where most injections are short-lived. It is one of the most lucrative and stealth attack tactics employed by scammers to make money. 

There are a couple reasons why this is a useful tactic. The primary reason is that it makes it very easy for scammers to download the stolen details in their browser or a console. Secondly, most website/server malware detection scans focus on website file extensions such as PHP, JS, and HTML. Image files, particularly those in a wp-content/uploads sub-directories, can sometimes be overlooked.

“Scammers are aware that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files,” researchers explained.

Payment Card Skimming Resurfaces with an Internet Twist


Card skimming has existed prior to the mainstream internet and is experiencing a revival as financial fraudsters recognise new potential to combine physical world data theft with online intrusion to steal even more money and information than ever. Only a week ago, it was announced that over 500 online retail sites were victims of a large "card skimming" incident, in which threat actors placed a device that allowed them to duplicate and steal the data from valid debit and credit cards as they were used for purchases. 

Card skimming fraudsters used to implant a physical device into ATMs or payment terminals to steal information from genuine consumers' payment cards. Nowadays, since online shopping is more popular than ever, cyber thieves are utilising malware placed into the checkout pages of online commerce sites to acquire credit card information, which they can then resell or use in their own nefarious schemes. 

Sansec, a malware and vulnerability detection firm that works with over 7,000 online retailers, was among the first to notice this fraudulent card skimming activity earlier this month. The vendor proposes "cleaning" the affected retail sites in order to remove the harmful code, but experts fear that these cyber-skimmers may just shift their strategy and look for "backdoors" through which they can implement their viruses. 

Many of these new card-skimming attacks, as well as other card information theft tactics where the card is not physically present at the moment of transaction, have been linked to the Magecart cybercriminal gang. Furthermore, if mobile phones begin to have card readers, this situation may worsen. 

The cybersecurity firm was able to speak with the administrators of the hijacked websites, according to another report by Ars Technica. They noticed that the hackers used a SQL injection flaw as well as a PHP object injection attack. Both were apparently using Quickview, a Magento 2 extension that allows buyers to quickly view product information without having to load the listings. 

The hackers were able to add an additional validation rule to the customer_eav_attribute table by misusing the Magento plugin. Furthermore, the credit card skimming group injected a payload onto the site. In order for the code to run successfully, the hackers must first "unserialize" the data on Magento. They would then log in as a new guest on the website.

Credit Cards Were Forged from a Prominent e-Cigarette Store


Since being breached, Element Vape, a famous online retailer of e-cigarettes including vaping kits, is harboring a credit card skimmer on its website. In both retail and online storefronts in the United States and Canada, this retailer provides e-cigarettes, vaping equipment, e-liquids, and Synthetic drugs.
Its website Element Vape is uploading a potentially Malicious file from either a third-party website that appears to be a credit card stealer. Magecart refers to threat actors who use credit card cybercriminals on eCommerce sites by infiltrating scripts. 

On numerous shop webpages, beginning with the homepage, a mystery base64-encoded script may be seen on pages 45-50 of the HTML source code. For an unknown period of time, the computer worm has so far been present on 

This code was gone as of February 5th, 2022, and before, according to a Wayback Machine review of As a result, the infection appears to have occurred more recently, probably after the date and before today's detection. When decoded, it simply fetches the appropriate JavaScript file from a third-party site :


When this script was decoded and examined, it was apparent – the collection of credit card and invoicing information from clients during the checkout. The script looks for email addresses, payment card details, phone numbers, and billing addresses (including street and ZIP codes). 

The attacker acquires these credentials via a predefined Telegram address in the script which is disguised. The code also has anti-reverse-engineering features which check if it's being run in a sandbox or with "devtools" to prevent it from being examined.

It's unclear how the backend code of was altered in the first place to allow the malicious script to enter. Reportedly, this isn't the first instance Element Vape's security has been breached. Users reported getting letters from Element Vape in 2018 indicating the company had a data breach so the "window of penetration between December 6, 2017, and June 27, 2018, might have revealed users" personal details to threat actors. 

Target Reveals Its Personal Skimming Detection Tool

Web skimming is a major problem for e-commerce shops and websites over the past few years. The attacks include simple script injections into payment platforms and breaches of genuine third-party services and scripts. Often referred to as Magecart attacks, these have become one of the leading reasons for card-not-present (CNP) fraud and affect small and big brands in the same manner, and also impact e-commerce platforms. Top e-commerce retailers, Target went in solutions a few years back to deal with this problem and keep their customers safe when shopping on the Target website.
As there were not many ready-to-detect tools for these attacks back then, two computer security experts thought about making one. After going live and in use for more than three years, company's client-side scanner has now been issued as an open-source project named Merry Maker. Merry Maker constantly affects online surfing and executes test transactions to scan for any harmful code. 

Merry Maker works as a guest on by executing various general tasks that include online purchases. In this process, the tool stores and analyzes various types of information which includes network requests, browser activity, and JavaScript files to check for any suspicious activity. 

About Card Skimming 

Card skimming is an attack where a harmful device is deployed at the point of authorized transaction to steal financial credentials. In the real world, skimming devices are attached to the card slots of ATMs or gas pump payment platforms to store data encrypted on the card's magnetic stripe. These generally come with a PIN pad or small cameras that plans to steal PINs types by users. 

These chip-based cards use encryption along with other transaction authentication and verification features are meant to challenge such types of card attacks. "Web skimming groups use sophisticated techniques to make their keylogging code hard to detect. The code can be heavily obfuscated and added to existing JavaScript files or even stored in other types of resources such as CSS or even embedded into images or it can be hosted on third-party domains," writes CSO.

To Stay Under the Radar, Magecart Credit Card Skimmer Avoids VMs


A new Magecart threat actor is utilizing a digital skimmer to steal people's payment card information from their browsers. It uses a unique kind of evasion to circumvent virtual machines (VM) so it only targets actual victims and not security researchers. Researchers from Malwarebytes found the new campaign, which adds an extra browser process that checks a user's PC for VMs using the WebGL JavaScript API, according to a blog post published Wednesday. 

It accomplishes this by determining whether the operating system's graphics card driver is a software renderer fallback from the hardware (GPU) renderer. The skimmer is searching for the words swiftshader, llvmpipe, and VirtualBox in the script. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a backup renderer. 

 “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post. 

Magecart is an umbrella term for various threat organizations that infect e-commerce websites with card-skimming scripts on checkout pages in order to steal money and personal information from customers. Because security researchers are so familiar with their activities, they are always seeking new and inventive ways to avoid being detected. 

The most frequent way for evading detection, according to Segura, is detecting VMs used by security researchers and sandboxing solutions that are intended to pick up Magecart activity. "It is more rare to see the detection of virtual machines via the browser for web-based attacks," he said. Threat actors typically filter targets based on geolocation and user-agent strings, according to Segura. 

Researchers discovered that if the machine passes the check, the process of personal data exfiltration can proceed regularly. The customer's name, address, email, phone number, and credit card information are all scraped by the skimmer. “It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura. 

To help consumers avoid being targeted and compromised by the campaign, Malwarebytes has released the skimmer code as well as a thorough list of indicators of compromise in its post.

Stolen Card Validation Service Illuminated A New Corner of the Skimming Ecosystem


In the recent analysis, experts discovered that the digital credit card skimming ecosystem evolves as experts identify new players, tooling, services, and economies that make it up in much of the recent threat infrastructure studies. Experts also noticed that significant patterns emerge in the infrastructure that these groups utilize and share. 

Many domains used for digital skimming and other criminal activities have been hosted on Alibaba IP space in recent years. Because bulletproof hosting companies host a large percentage of skimming campaigns, Alibaba IP space's popularity could be due to one of these bulletproof services exploiting Alibaba hosting services. Some of these domains have recently been accused of abusing Google's user content hosting service. 

While looking into the MobileInter skimmer's infrastructure, the analysts discovered that one of its skimmer domains was temporarily hosted by a Google IP address. This IP then hosted a domain that offered card skimmers a useful service that allowed them to validate stolen payment data for a fee. The experts were able to discover multiple associated websites, services, and social media accounts connected to this authentication activity known as bit2check using RiskIQ's Internet Intelligence Graph. Some bit2check names have been spotted abusing Alibaba and Google hosting services in the same way as that of Magecart domains.

Following additional investigation, the analysts discovered that the person behind bit2check is a Kurdish actor who goes by the name Hama. There was no apparent relationship between an individual and the bulletproof hosting operation seen on Alibaba. On the other hand, this connection could lead to more information about who is providing these malicious hosting services. 

The bit2check website advertises a bit2check Telegram group and promotes itself as the "greatest CVV/cc checker in town." Many Kurdish language telegram channels also link to the bit2check site and others, including bin-checker[.]net, which is a free version of bit2check. These card-skimming services promote each other through links on their websites and Telegram channels. 

The domains and accounts linked to Hama are also associated with the activities of other players in the carding sector. Code produced by another actor known as namso can be seen on some of Hama's websites. A directory called namso_files can be found in Hama's Github source. 

Since RiskIQ first reported on Magecart in 2016 and its historic attack against British Airways in 2018, they have been investigating browser-based card skimming. 

Bit2check is another part of this vast ecosystem that caters to skimmers looking to validate their loot or buy more stolen information. Many of the companies in this ecosystem network, both the skimmers and the services that cater to them, are using the same strategies and infrastructure, according to RiskIQ.

Outdated Magneto 1 Witnessed Credit Card Skimming Threats


Magento is an open-source code e-commerce site that supplies online traders with a scalable shopping cart system, and managing their online store's layout, content, and features. Lately, threat actors began leveraging a flaw in the ‘Magento 1’ branch that has not been managed any longer in the fall of 2020. 

Thousands of retailers worldwide on the platform are encouraged to upgrade the mobile version to ‘Magento 2’, as thousands of e-commerce shops were hacked with the credit card skimming code infecting all of them. During the tracking of events related to the ‘Magento 1’ initiative, observably, an e-commerce shop was attacked twice by skimmers. 

In this particular incident, the threat actors devised a copy of their writings that is well-known to places that were already injected by the Magento 1 skimmer. The second skimmer will now actually collect the credit card data from the pre-existing fake form which were previously injected by the actors.

"A large number of Magento 1 sites have been hacked but yet are not necessarily being monetized,” as stated by the researcher at Malwarebytes. He further added that “Other threat actors that want access will undoubtedly attempt to inject their own malicious code. When that happens, we see criminals trying to access the same resources and sometimes fighting with one another.” 

The end-of-life of Magento 1, paired with a famous feat, was an immense blessing for the actors at risk. Many pages were indiscriminately compromised merely because they were weak. RiskIQ has allocated these cases to Magecart Group 12, which uses diverse tactics including chain threats with a long history of web skimming.

On the payment websites of Costway, one of the leading retailers in North America and Europe, two web skimmers have been found selling appliances, furniture, etc. The skimmers seek to provide payment information with consumers' credit card. “Our crawlers identified that the websites for Costway France, U.K., Germany, and Spain, which run the Magento 1 software, had been compromised around the same time frame,” said researchers. 

On the Costway check-out page, the researchers noticed the credit card skimmer injection, which stands out in English while the majority of the platform is in French. This is no surprise considering the automated and very indiscriminate Magento 1 hacking campaign. 

The threat to victims is huge, as scientists claim that just in December 2020, Costway's French portal (Costway[.]fr) received approximately 180K tourists. There is also a second skimmer (loaded from the securityxx[.]top externally) on the web which targets the skimmer of Magento 1. 

Many Magento 1 websites have been compromised, but they are not monetized yet. Additional attacks would certainly continue to inject their own malicious code.

More than 17,000 Domains Affected with Code which Steals Card Data

Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.

Cybercriminals Preferring Audio Skimmers Over Flash Skimmers

There has been a rapid increase in the number of web skimming attacks since the advancements in the technological sector; it also resulted in excessive activity in the black market of physical card skimming tools.
Web skimming attacks are designed to capture critical financial data and card details like the name of the holder and sensitive numbers. It is when attackers connect their spying tool to a point-of-sale system (PoS) or an ATM in order to get access to the data that is processed from credit/debit cards via these machines.
The ever evolving ways of web skimming are one of the reasons why it is thriving and remains undetected,  professionals skimmers have formed closed communities which are organized to coordinate during skimming processes and assist the cashers, decoders, engineers, extractors, and vendors with whatever they need.
Advanced Intelligence, a New York based fraud prevention company reported that the usual targets are gas stations, ATMs or PoS terminals. Skimming includes unauthorized access to sensitive financial information for which the cybercriminals mainly rely on upgrades and advancements in technology to produce and circulate products which are unassailable and undetectable.
Another variant includes Audio Skimmers, which have been known to exist since 2010 and the technique employed in Audio Skimming is said to be existing since 1992. The devices involved store the data and encrypt it to capture it in MP3 format. The threat rate of Audio Skimmers multiplies with the camera attached to capture the PIN number and acting as a video skimmer.
Commenting on the matter, Yelisey Boguslaskiy, director of security research at AdvIntel, said, "They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,"
"Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” further added.