New Visa Threat Report Unveils Escalating Web Skimming Risks
Visa shares warnings and best practices from its Payment Fraud Disruption team every six months, and the most recent of its Biannual Threats Reports covered the period from June to December 2022. It revealed that cybercriminals still favor web skimming attacks and PFD reported some of the most notable developments in how they’re carrying them out.
In case you weren’t aware, web skimming attacks occur when hackers inject malicious code into checkout pages to steal payment information. They gain access by exploiting security weaknesses or misconfigurations in the merchant’s system. This then leaves them free to harvest primary account numbers, card verification numbers, card expiration dates, and personally identifiable customer information.
Here are the five approaches to web skimming that caught the Visa PFD team’s interest during those six months:
Obsolete Payment Plugins
On three occasions, different cybercriminals targeted the same unpatched or obsolete payment plugin. In one instance, the attackers built a bogus checkout webpage on a North American merchant’s website that tricked shoppers into handing over their cardholder data. The page was taken down, but that didn’t deter them. They tried again, this time hacking an administrator’s account so they could add their web-skimming code to the genuine checkout page.
In another incident, cybercriminals targeted an online merchant by injecting SQL into an outdated e-commerce payment plugin. This allowed them to get administrator login information which they used to add malicious skimming code to the obsolete payment plugin, which then deployed the same code on the checkout page.
In the third instance, attackers used a web shell to gain entry to an online merchant’s checkout page. This approach allowed them to add web-skimming code to an obsolete payment plugin to steal customers’ payment details.
Reverse Shell Exploit
Coupons and Promotions
In another campaign, cybercriminals took advantage of a coupon code embedded in the webpage of a third-party payment provider to steal payment details from e-commerce customers. They added their code to five files on the victims’ sites and used web shells to access it remotely. They injected two types of web-skimming software which collected payment account data from 45 online merchants using the victim’s payment services. The first web skimmer stole payment account data during checkout and forwarded it to an external domain that the hackers had control of. The second one added stored payment data lifted during checkout to a local .png file in base64 format.
Online Cigar Shops
In a month-long attack on nine online cigar shops, cybercriminals added web-skimming malware to their victims’ checkout pages. The common denominators were that all of them used the same e-commerce platform to build their websites, all had the same hosting on one or more shared servers with the same UK-registered IP address and they were all owned by or related to the same European consumer brand management company. Visa PFD suspects that the cyber criminals may have taken advantage of a security hole in either the parent company’s network or the e-commerce platform that the compromised sellers used. Notably, PFD had already published the malicious domain identified in each of these compromises in a previous report.
This campaign demonstrates how cybercriminals can compromise multiple victims using the same platform once they discover a common vulnerability in the initial victim’s environment.
Online Platform’s Code Repository Exposed
In this case, the target was a health products store and attackers gained access to it by breaching its code repository, which was not properly secured. This meant they could easily gain administrative access and add web-skimming malware to the checkout page, from which they harvested payment account data. The checkout page also seems to have been unprotected, as it had no brute force prevention measures, and the admin portal did not have multi-factor authentication.
Third-Party Service Providers
In the last six months, Visa PFD also identified a compromise where an online tech merchant was attacked because its third-party hosting provider did not patch or update the libraries for the Java-based logging utility Log4j 2 on the merchant’s website. This outdated utility had a remote code execution vulnerability (CVE-2021-44228) that permitted the attackers to remotely access the shopping site. From there, they added their web skimming code to the legitimate code on the checkout page which let them steal customer payment information. This is why it’s crucial to always patch and update e-commerce software wherever it sits in the supply chain.
All these web-skimming attacks could have been prevented if the merchants had used Reflectiz. The platform gives you unparalleled oversight of your checkout pages, alerting you to code changes and unauthorized activity before they can do the kind of damage that lands you in hot water with data regulators, payment processors, and unhappy customers.
Client-side attacks bypass traditional security tools, but that doesn’t happen with Reflectiz. Its unique sandbox simulator detects any malicious changes to your websites to catch even the most sophisticated attacks.
Discover how Reflectiz can protect you from web-skimming attacks, today.