Credit card skimming has become much easier for cybercriminals, who can now purchase ready-to-use skimming services online. Read more about this threat and how to detect it on sales sites.
What is a skimming credit card?
Browse credit cards is a technique that involves the use of malicious code installed on compromised merchant websites to steal credit card information submitted by website customers when they complete an online payment.
To implement it successfully, several technical steps need to be taken. First, the attacker needs to find a commercial website that is vulnerable to various attack techniques and then compromise that website. Once an attacker has gained access to website content, they need additional malicious code to steal credit card information provided by unsuspecting customers.
Most skimmers use JavaScript, with their added code sitting quietly in the middle of legitimate code from the site patiently waiting for credit card information. The information is then stored locally in a location known only to the attacker so it can be collected
Skimmer as a service: Meet CaramelCorp
Cybercriminals today sell almost every type of service one can think of. This is where Russia-based credit card skimming service CaramelCorp comes in, as reported by DomainTools.
Threats have a significant presence on cybercrime forums, carefully screen potential customers, and don’t do business with people who don’t speak Russian. They also refuse to sell their services to inexperienced cardholders.
For those who manage to trade with CaramelCorp, a lifetime subscription to their service is worth $2,000.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
How the skimming service works
Implementation
According to DomainTools, CaramelCorp guarantees, although this guarantee has not been verified, that it can bypass certain cybersecurity services from Akamai, CloudFlare, and Incapsula, among others, according to DomainTools.
The service provides easily deployable gateways to receive skimmed data and the ability to monitor them during downtime. A quick start guide on JavaScript methods for targeting several commercial content management systems is also provided.
Collection
Caramel skimmer uses the setInterval() method, which is common to most other credit card skimmers. This method ensures data filtering even for partially completed form fields on a compromised website.
This is useful for cybercriminals, as even targets that decide not to purchase an item during checkout will still leak part of their payment data to attackers.
CaramelCorp also mentions that their skimmers can be deployed using a variety of file types to avoid detection.
Management
A dashboard that allows monitoring and management of compromised online sellers. Performance monitoring can also be performed.
The management panel focuses on reducing the attack surface by removing unnecessary code. The login console provides access to the cybercriminals who purchased the service (Picture A).
Picture A
Measures against detection
The javascript used by the skimmer is obfuscated and undetectable by most scanners. To achieve this goal, CaramelCorp recommends a piece of software called the JavaScript Obfuscator Tool, which is already popular among the cybercriminal community.
Data leak from CaramelCorp
DomainTools manages to gain access to data stored on the CaramelCorp server by finding and accessing open directories containing a number of elements, such as portions of Javascript code, source and direction map files Quick start guide CaramelCorp.
The researchers found that CaramelCorp recommends a very simple method to implement: Access the CMS admin panel from a compromised website and add a simple script manually (Figure BUT).
Figure BUT
DomainTools noted a significant amount of Russian-encoded text in the source map and detected Javascript files. Translations of those texts revealed a tutorial on how to deploy the Caramel skimmer.
The scammers include warnings about practices to avoid when deploying as well as recommendations on where to get domains, SSL certificates, and VPS servers to run skimming infrastructure.
How to detect threats
Although the threat is difficult to detect, it is not impossible.
Permanent web content integrity checks should be performed. File tracking and content filtering security solutions should be implemented to detect any static file changes, especially for files containing code such as .JS, .PHP, and .ASPX files. Websites should monitor all static files for any possible violations.
Newly created and modified files should be checked immediately if it is not the result of a legitimate process within the company.
The web server software itself should always be patched and updated to avoid any possible initial intrusion from attackers.
It may also be a good idea to search for any files on the web server that contain credit card information, as some surfers store stolen data locally before sending them to the controller. . Such detection of credit card information can be done using YARAEg.
Finally, all the usual security measures to protect the web infrastructure should be in place to avoid the website being compromised in the first place. Authentication on any dashboard or admin section of the site will be accessible only with multi-factor authentication and all default logins, if any, must be removed. Security solutions that detect malware and file threats should also be implemented.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
