In order to avoid detection, threat actors driving online skimming operations use malicious JavaScript code that replicates Google Analytics and Meta Pixel scripts.
“It’s a departure from earlier tactics in which attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions,” the Microsoft 365 Defender Research Team said in a new report.
Skimming attacks, such as those carried out by Magecart, are carried out with the objective of harvesting and exporting customers’ financial information, such as credit card numbers, that are submitted into online payment forms on e-commerce platforms, generally during the checkout process.
This is accomplished by exploiting security flaws in third-party plugins and other tools to inject rogue JavaScript code into internet portals without the owners’ knowledge.
As the quantity of skimming assaults has risen over time, so have the tactics used to conceal the skimming programs. Malwarebytes uncovered a campaign last year in which malicious actors were detected sending PHP-based web shells encoded within website favicons to launch the skimmer malware.
– In July 2021, Sucuri discovered another another method that involves putting JavaScript code into comment blocks and disguising stolen credit card data in photos and other items posted on the compromised domains.
The most recent obfuscation tactics detected by Microsoft are variations on the aforementioned strategy of employing malicious image files, including ordinary pictures, to covertly combine a PHP script with a Base64-encoded JavaScript.
CyberSecurity
A second method employs four lines of JavaScript code injected to a hacked webpage to get the skimmer script from a remote server that is “encoded in Base64 and concatenated from various strings.”
In an attempt to escape detection, encoded skimmer script URLs were found within faked Google Analytics and Meta Pixel code.
Unfortunately, there isn’t much that online consumers can do to protect themselves from web skimming other than ensure that their browser sessions are secure during checkout. Users can also establish virtual credit cards to protect their payment information.
“Given the increasingly evasive tactics used in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,” Microsoft said.