On May 23rd the Microsoft 365 Defender Research Team released a blog that gave a high-level overview of new evasion techniques being used by threat actors that control skimmers. In short, skimming is a method used by threat actors to obtain payment card information from unsuspecting victims, whether it be at a gas pump or while shopping online. In this research, Microsoft describes techniques used to inject skimming code in e-commerce websites. The research provided by the Microsoft team reveals that new skimming files being uploaded to VirusTotal have lower than usual detection rates. A portion of the blog reads “It’s a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions.” The three methods that have increasingly been used include injecting the scripts in images, string concatenation, and script spoofing. A list of the SHA-256 file hashes being used can be found below:
- a6fc14a7bb5e05c1d271add5b38744523fed01a18ce5578b965ee02e19589e77
- b397e7ad2d00dcef4cf4ba5df363684b1fefcc64c23ab110032a7b2ebb77ab4a
- 88e9d5eddd24546ab78ce8db1eb474a20b9694f52d4c7ad976fbfa683b7ce635
More information on the techniques can be found in the blog by Microsoft here: https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-uncovering-the-shift-in-web-skimming/
