On May 23rd the Microsoft 365 Defender Research Team released a blog that gave a high-level overview of new evasion techniques being used by threat actors that control skimmers. In short, skimming is a method used by threat actors to obtain payment card information from unsuspecting victims, whether it be at a gas pump or while shopping online. In this research, Microsoft describes techniques used to inject skimming code in e-commerce websites. The research provided by the Microsoft team reveals that new skimming files being uploaded to VirusTotal have lower than usual detection rates. A portion of the blog reads “It’s a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions.” The three methods that have increasingly been used include injecting the scripts in images, string concatenation, and script spoofing. A list of the SHA-256 file hashes being used can be found below:
- a6fc14a7bb5e05c1d271add5b38744523fed01a18ce5578b965ee02e19589e77
- b397e7ad2d00dcef4cf4ba5df363684b1fefcc64c23ab110032a7b2ebb77ab4a
- 88e9d5eddd24546ab78ce8db1eb474a20b9694f52d4c7ad976fbfa683b7ce635
More information on the techniques can be found in the blog by Microsoft here: https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/
Analyst Notes
Binary Defense analysts reviewed the files referenced by Microsoft’s blog. The files consist of PHP and JavaScript content, sometimes disguised with a misleading file extension such as .png or .jpg. Some of the files are still not well detected by anti-virus software, with fewer than 1/3 of the products in VirusTotal reporting a threat, but all of them contain obfuscated code encoded in text blocks that could be recognized by a security analyst if they were reviewed. Any file purporting to be an image that contains script code is immediately suspect.
Companies that have e-commerce websites should use file integrity monitoring tools to spot new files added or changes to files that aren’t expected. Actively scanning for threats along with updating to the latest versions of content management systems is important for site admins when defending against skimming tactics. Online shoppers can limit their chances of becoming victims by using one-time private cards, setting strict payment limits, or using electronic payment methods instead of physical cards.
https://cyware.com/news/credit-card-stealers-adopt-advanced-evasion-techniques-f401c33f
