{"id":16953,"date":"2019-11-21T10:10:16","date_gmt":"2019-11-21T18:10:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/21\/news-10690\/"},"modified":"2019-11-21T10:10:16","modified_gmt":"2019-11-21T18:10:16","slug":"news-10690","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/21\/news-10690\/","title":{"rendered":"Web skimmer phishes credit card data via rogue payment service platform"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 21 Nov 2019 17:30:00 +0000<\/strong><\/p>\n

Heading into the holiday shopping season<\/a>, we have been tracking increased activity from a threat group registering domains for skimming and phishing campaigns. While most of the campaigns implemented a web skimmer in the typical fashion\u2014grabbing and exfiltrating data from a merchant’s checkout page to an attacker-controlled server\u2014a new attack scheme has emerged that tricks users into believing they’re using a payment service platform (PSP).<\/p>\n

PSPs are quite common and work by redirecting the user from a (potentially compromised) merchant site onto a secure page maintained by the payment processing company. This is not the first time a web skimmer has attempted to interfere with PSPs<\/a>, but in this case, the attackers created a completely separate page that mimics a PSP.<\/p>\n

By blending phishing and skimming together, threat actors developed a devious scheme, as unaware shoppers will leak their credentials to the fraudsters without thinking twice.<\/p>\n

Standard skimmer<\/h3>\n

Over the past few months, we’ve tracked a group that has been active with web skimmer and phishing templates. As web security firm Sucuri noted<\/a>, most of the domains are registered via the medialand.regru@gmail[.]com email address.<\/p>\n

Many of their skimmers are loaded as a fake Google Analytics library called ga.js<\/em>. One of several newly-registered domain names we came across had a skimmer that fit the same template, hosted at payment-mastercard[.]com\/ga.js<\/em>.<\/p>\n

\n
\"\"<\/a>
Figure 1: Simple skimmer based on previous template<\/figcaption><\/figure>\n<\/div>\n

This malicious ga.js<\/em> file is injected into compromised online shops by inserting a one line piece of code containing the remote script in Base64 encoded form.<\/p>\n

\n
\"\"<\/a>
Figure 2: A JavaScript library from a compromised shop injected with the skimmer<\/figcaption><\/figure>\n<\/div>\n

However, one thing we noticed is that the payment-mastercard[.]com<\/em> domain was also hosting a completely different kind of skimmer that at first resembled a phishing site.<\/p>\n

Phish-like skimmer<\/h3>\n

This skimmer is interesting because it looks like a phishing page copied from an official template for CommWeb<\/a>, a payments acceptance service offered by Australia’s Commonwealth Bank (https:\/\/migs.mastercard.com.au<\/em>).<\/p>\n

\n
\"\"<\/a>
Figure 3: Fraudulent and legitimate payment gateways shown side by side<\/figcaption><\/figure>\n<\/div>\n

As the text reads “Your details will be sent to and processed by The Commonwealth Bank of Australia and will not be disclosed to the merchant<\/em>” this is not a login page to phish credentials, but rather a pretend payment gateway service.<\/p>\n

The attackers have crafted it specifically for an Australian store running the PrestaShop<\/a> Content Management System (CMS), exploiting the fact that it accepts payments via the Commonwealth Bank.<\/p>\n

\n
\"\"<\/a>
Figure 4: Modes of payments accepted by the store<\/figcaption><\/figure>\n<\/div>\n

The scheme consists of swapping the legitimate e-banking page with the fraudulent one in order to collect the victims’ credit card details. We also noticed that the fake page did something we don’t always see with standard skimmers in that it checked that all fields were valid and informed the user if they weren’t.<\/p>\n

\n
\"\"<\/a>
Figure 5: Fake payment gateway page shown with its JavaScript that exfiltrates the data<\/figcaption><\/figure>\n<\/div>\n

Here’s how this works:<\/p>\n