On May 23rd the Microsoft 365 Defender Research Team released a blog that gave a high-level overview of new evasion techniques being used by threat actors that control skimmers. In short, skimming is a method used by threat actors to obtain payment card information from unsuspecting victims, whether it be at a gas pump or while shopping online. In this research, Microsoft describes techniques used to inject skimming code in e-commerce websites. The research provided by the Microsoft team reveals that new skimming files being uploaded to VirusTotal have lower than usual detection rates. A portion of the blog reads “It’s a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions.” The three methods that have increasingly been used include injecting the scripts in images, string concatenation, and script spoofing. A list of the SHA-256 file hashes being used can be found below:
More information on the techniques can be found in the blog by Microsoft here: https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/
Companies that have e-commerce websites should use file integrity monitoring tools to spot new files added or changes to files that aren’t expected. Actively scanning for threats along with updating to the latest versions of content management systems is important for site admins when defending against skimming tactics. Online shoppers can limit their chances of becoming victims by using one-time private cards, setting strict payment limits, or using electronic payment methods instead of physical cards.