Credit card skimming is when someone uses an illegal device to collect the information from the magnetic stripe on your ATM, debit, or credit card. Once the individual has this information, they can copy it over to another card and use it to withdraw cash or make purchase in your name. Considering the potential financial turmoil, it's vital to do everything possible to keep your credit card data safe.
With card skimming, the thief uses a camouflaged counterfeit card reader to record all of the information stored. In addition to ATM machines, there are many other places where credit card skimmers can be used, such as taxis and restaurants. Essentially, these devices can be used anytime someone takes your card to run the charge. In some instances, the scammer can use a hand-held skimmer or a device small enough to fit in their pocket.
Card-skimming malware is increasingly using malicious PHP script on web servers to manipulate payment pages in order to bypass browser defenses triggered by JavaScript code, according to Microsoft.
Microsoft threat researchers have observed a change in tactics used by card-skimming malware. Over the past decade, card skimming has been dominated by so-called Magecart malware that relies on JavaScript code to inject scripts into checkout pages and deliver malware that captures and steals payment card details.
Injecting JavaScript into front-end processes was "very conspicuous", Microsoft notes, because it might have triggered browser protections like Content Security Policy (CSP) that stop external scripts from loading. Attackers found less noisy techniques by targeting web servers with malicious PHP scripts. Microsoft in November 2021 found two malicious image files, including one fake browser favicon, being uploaded to a Magento-hosted server. Magento is a popular e-commerce platform.
The images contained embedded PHP script, which by default did not run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently signed-in, in order to only target shoppers.
Once the PHP script was run, it retrieved the current page's URL and looked for "checkout" and "one page", two keywords that are mapped to Magneto's checkout page. "The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained.
There has been a rise in the use of malicious PHP in card-skimming malware. The FBI last week warned of new cases of card-skimming attackers using malicious PHP to infect US business' checkout pages with webshells for backdoor remote access to the web server. Researchers found that 41% of new credit card-skimming malware observed in 2021 was related to PHP skimmers targeting backend web servers.
Malwarebytes earlier this month said Magecart Group 12 was distributing new webshell malware that dynamically loads JavaScript skimming code via server-side requests to online stores. "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer," Malwarebytes' Jérôme Segura noted. "Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."
But malicious JavaScript remains part of the card-skimming game. For example, Microsoft found examples of card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. This can trick admins into thinking the scripts are benign.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Article here: TR-22-145-001.pdf
Comments