Hackers are developing new pieces of malware every day in a bid to outsmart the defenders. In the latest of such a case, Malwarebytes has reported on a new credit card skimming technique which is now being used.
The technique focuses on using the famous messenger app Telegram for transmitting the stolen payment details of users from compromised websites to the attackers themselves. These details include the user’s name, email address, card details including the card number, CVV & expiry date.
All of this happens on the payment page where the skimmer is activated as shown in the graphic below.
In order to prevent web debuggers from catching it, certain “anti-debugging checks'” are present in the code. Furthermore, the bot ID, channel, and the Telegram API request is encoded using Base64.
Describing the effectiveness of the attack, the researchers stated in their blog post that,
For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders. They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets.
Why use Telegram?
Using Telegram places the attackers at a big advantage in terms of time. Instead of working to create their own C2 server along with a dedicated communication process that would require their own domains, they can just use an already established network.
Moreover, even if Telegram cracks down on them someway, nothing would prevent the attackers from going with an alternative.
However, there is a way to prevent such attacks without blocking Telegram as a whole as the researchers have demonstrated using their own browser extension – shown below.
To conclude, at the moment, only 2 websites have been found to be infected by this malware. Nonetheless, cybersecurity professionals should keep this new tactic in mind as we may see it spreading across more sites in the near future.