U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New skimmer attack uses WebSockets to evade detection

Experts spotted a new skimmer attack that used an alternative technique to exfiltrate payment information from payment cards. Researchers from Akamai discovered a new skimmer attack that is targeting several e-stores with a new technique to exfiltrate data. Threat actors are using fake credit card forum and WebSockets to steal the financial and personal information of the […]

web skimmer

Experts spotted a new skimmer attack that used an alternative technique to exfiltrate payment information from payment cards.

Researchers from Akamai discovered a new skimmer attack that is targeting several e-stores with a new technique to exfiltrate data.

Threat actors are using fake credit card forum and WebSockets to steal the financial and personal information of the users.

“Online stores are increasingly outsourcing their payment processes to third-party vendors,  which means that they don’t handle credit card data inside their store. To overcome this, the attacker creates a fake credit card form and injects it into the application’s checkout page. The exfiltration itself is done by WebSockets, which provide the attacker a more silent exfiltration path.” reads the post published by Akamai.

Hackers use a software skimmer to inject a loader into the page source as an inline script. Once executed, a malicious JavaScript file is requested from the a C2 server (at https[:]//tags-manager[.]com/gtags/script2).

Upon loading the script from the external server, the skimmer stores in the browser’s LocalStorage its generated session-id and the client IP address.

Attackers leverage Cloudflare’s API to obtain the user’s IP address, then use a WebSocket connection to exfiltrate sensitive information from pages involving the checkout, login, and new account registration pages.

The distinctive aspect of this attack is the use of WebSockets, instead of HTML tags or XHR requests, to extract the information from the compromised site that makes this technique more stealth. The use of WebSockets allows bypassing a lot of CSP policies.

web skimmer

Experts noticed that for those e-stores that handle the payment process through a third-party provider, the skimmer creates a fake credit card form in the page before it is redirected to the third-party vendor.

“Akamai sees new and subtly modified web application client-side attacks, such as this example, on nearly a weekly basis. Given the obfuscated nature and supply chain origination of in-browser attacks, traditional CSP-reliant approaches miss most of these types of attacks.” concludes the company.

“Our security portfolio has embraced and invested in bringing to market a web skimming protection product called Page Integrity Manager, which focuses on the script execution behavior with unprecedented visibility into the runtime environment. It collects information about the different scripts that run in the web page, each action they take, and their relation to other scripts in the page. Pairing this data with our multilayered detection approach — leveraging heuristics, risk scoring, AI, and other factors — allows Page Integrity Manager to detect different types of client-side attacks, with a high focus on data exfiltration and web skimming attacks.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, web skimmer)

[adrotate banner=”5″]

[adrotate banner=”13″]