Intelligence Reporting

US federal authorities have received an increase in complaints over the past three months of credit card information theft by cyber criminals using web injection to introduce skimming code on e-commerce payment card processing web pages.  Cyber criminals introduced skimming code to the payment card processing websites by gaining access to either the victim’s network or a third-party entity.  The code captured credit card data as the end user entered it in real time.  That information was exfiltrated to an Internet-connected server using a domain name controlled by the actor.  Subsequently, the collected credit card information was either sold or used to make fraudulent purchases.  Any business supporting online payments on their website is at risk of a web injection attack.  This threat has impacted retail, entertainment, and travel industries as well as third-party vendors supporting them.[1]

Cyber Threat: An increase was observed in reporting of online skimming in which cyber criminals compromised e-commerce websites by injecting malicious code to steal credit card information.  The compromises occurred directly through a company’s website, via its third-party payment vendor, or third-party web analytics software. Cyber criminals used phishing emails, default or stolen employee credentials, and other means to gain initial access to a victim’s network.  There have also been instances of criminals exploiting outdated software or third-party platforms to infiltrate a victim company.  Cyber criminals used a tactic similar to cross-site injection to place JavaScript skimmers on compromised victim networks or third-party public facing websites to capture credit card data.  Using the access gained though phishing emails, they laterally moved through the network to access the checkout page of the victim’s e-commerce website.  Once access was gained, cyber criminals injected malicious skimmer code designed to only activate when a payment or checkout page is detected.  Skimmer codes have been found on various pages within a website collecting and exfiltrating the payment data or personally identifiable information to a remote server using a domain name controlled by the cybercriminal. The criminals sold the stolen credit card data on dark-web forums.  The skimming code captured real time data the end user entered on a payment site from either a mobile device or computer.  The FBI assesses cyber criminals likely are unable to collect pre-filled customer information.  Victims have included small to large companies using a variety of third-party payment vendors.  This scheme has resulted in approximately 1.5 million compromised credit cards.

Recommended Mitigations:

The malicious skimmer code has varied in complexity, which limits the ability to identify a specific set of indicators of compromise.  Vulnerable companies should secure e-commerce websites to prevent malicious code injection.  In addition, e-commerce companies should implement proper network segmentation and segregation to limit network exposure and minimize lateral movement of cyber criminals.

Precautionary measures to mitigate these techniques include:

  • Prepare an incident response plan to be implemented in the event of a cyber intrusion.
  • Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.
  • Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
  • Install third-party software/hardware from trusted sources.  Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process.
  • Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers for known vulnerabilities and software processing Internet data, such as web browsers, browser plugins, and document readers.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Regularly conduct network penetration tests, periodic code review, and dynamic application security tests on websites to identify vulnerabilities or misconfigurations.
  • Strengthen credential requirements and implement multi-factor authentication to protect individual accounts.
  • Consider a privileged identity and access management (PAM) solution to manage risk from trusted insiders and third-party vendors with privileged access.
  • Assign unique, complex local administrator passwords to all workstations and other network endpoints to limit potential exposure using the same compromised password.
  • Assign permission codes to website directories and files to help prevent unauthorized access to files containing website scripts.
  • Educate employees on tactics used by cyber criminals to obtain personal information and account access.

For questions, comments or assistance regarding this report, please contact Wapack Labs at 844-492-7225, or feedback@wapacklabs.com

[1] FBI Private Business notification, 11 21 2018 

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance