New skimmer attack uses WebSockets to evade detectionSecurity Affairs

-Experts have discovered a new skimming attack with an alternative technique for filtering payment card data.

Akamai researchers have discovered a new skimming attack that uses new data filtering techniques to address multiple electronic memories.

Threateners use fake forum credit cards and WebSockets to steal users’ financial and personal information.

Online stores increasingly outsource their payment processes to third parties, which means that they do not process credit card details within their company. To fix this, an intruder creates a fake credit card form and injects it into the application page. The exfiltration itself is performed by WebSockets, which provide a quieter exfiltration path for the attacker.

Hackers use skimming software to insert the loader into the page’s source code in the form of an embedded script. After execution, the malicious JavaScript file is queried by the C2 server (under https[:]//tags-manager[.]com/gtags/script2).

After downloading the script from a remote server, the skimmer stores the session ID and the IP address of the client in the local memory of the browser.

Attackers use the Cloudflare API to retrieve a user’s IP address and then use a WebSocket connection to filter confidential information from pages related to checking, logging in, and registering a new account.

A unique feature of this attack is the use of WebSockets instead of HTML tags or XHR queries to extract information from the compromised site, which makes this technique more secretive. Using WebSockets, you can circumvent many CSP policies.

Experts have noted that in online stores that process payments through a third party, the skimmer creates a fake credit card form on the page before passing it on to a third party.

Akamai sees new, slightly modified attacks on web application customers almost every week, as in this example. Given the complex nature and origin of browser-based attacks, traditional CSP-based approaches avoid most such attacks.

Our security portfolio has introduced a web scripting security product and invested in Page Integrity Manager, which focuses on script execution behavior with unparalleled visibility into the execution environment. It collects information about the different scripts running on the site, each action they perform, and their relationship with other scripts on the site. By combining this data with our tiered approach to detection – using heuristics, risk assessment, AI and other factors – Page Integrity Manager is able to detect different types of client-side attacks, with a focus on data filtering and web-thin attacks.

Pierluigi Paganini

(Security issues – hacking, website skimming)




Related Tags: