Payment card giant Visa recently issued a warning about a sophisticatedly designed web skimming malware that uses security tools to avoid detection.
PFD used the eCommerce Threat Disruption capability and learned that the skimmer contained all essential features that most e-commerce skimming kits are equipped with, such as admin panel, skimming script generator, exfiltration gateway, etc.
See: Bluetana app detects gas pumps card skimmers in 3 seconds
The skimmer’s most ‘compelling components’ include its unique loader and obfuscation techniques. It dynamically loads to avoid static malware scanners while using individual encryption parameters’ for every victim to hide the malicious code.
Baka skimmer’s variant avoids detection/analysis by detaching itself from memory as soon as it identifies the probability of dynamic analysis or after it has finished exfiltrating data.
The researchers identified Baka while evaluating a C&C server linked with the ImageID variant. Later, PFD identified seven servers actively hosting the malware’s skimming kit.
This means the e-commerce skimmer has already affected various merchant websites worldwide. The PFD believes that a skilled developer must have created such an advanced skimming kit.
The skimming code is fetched and execute after a user visits the checkout page on a merchant’s website. Its decrypted payload is similar to the code used for dynamically loading of pages. The code skims the targeted files after every 100 milliseconds, and the attacker efficiently specifies the fields that are to be targeted for every victim. The code also checks whether the skimmer has identified any data at 100 milliseconds intervals.
If it identifies data, the exfiltration process is quickly initiated. It keeps checking every 3 seconds whether the script has to send data to the exfiltration gateway. After exfiltration, a clean-up function is executed to remove the skimming code from memory.
See: Hundreds of counterfeit branded shoe stores hacked with web skimmer
“The developer of this malware kit uses the same cipher function in the loader and the skimmer,” Visa added.
Here’s how the encrypted skimming code looks like:
Visa urged e-commerce providers to regularly scan for C&C communications, perform website scanning, and test malware and vulnerabilities. Retailers must restrict access to admin portals and mandatorily enable 2FA authentication.
The main e-commerce website must be separated from the checkout section. Additionally, they should closely inspect Content Delivery Networks and third-party codes, and patch shopping carts and web application firewalls to mitigate the newly discovered threat.
Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.
I saw this technique used with an .HTM file attachment on an email.
Comments are closed.