{"id":17094,"date":"2019-12-04T09:10:04","date_gmt":"2019-12-04T17:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/12\/04\/news-10830\/"},"modified":"2019-12-04T09:10:04","modified_gmt":"2019-12-04T17:10:04","slug":"news-10830","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/04\/news-10830\/","title":{"rendered":"There’s an app for that: web skimmers found on PaaS Heroku"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Wed, 04 Dec 2019 16:00:00 +0000<\/strong><\/p>\n

Criminals love to abuse legitimate services\u2014especially platform-as-a-service (Paas) cloud providers\u2014as they are a popular and reliable hosting commodity used to support both business and consumer ventures.<\/p>\n

Case in point, in April 2019 we documented<\/a> a web skimmer served on code repository GitHub. Later on in June, we observed<\/a> a vast campaign where skimming code was injected into Amazon S3 buckets.<\/p>\n

This time, we take a look at a rash of skimmers found on Heroku<\/a>, a container-based, cloud PaaS owned by Salesforce. Threat actors are leveraging the service not only to host their skimmer infrastructure, but also to collect stolen credit card data.<\/p>\n

All instances of abuse found have already been reported to Heroku and taken down. We would like to thank the Salesforce Abuse Operations team for their swift response to our notification.<\/p>\n

Abusing cloud apps for skimming<\/h3>\n

Developers can leverage Heroku to build apps in a variety of languages and deploy them seamlessly at scale.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

Heroku has a freemium model, and new users can experiment with the plaform’s free web hosting services with certain limitations. The crooked part of the Magecart cabal were registering free accounts with Heroku to host their skimming business.<\/p>\n

Their web skimming app consists of three components:<\/p>\n

    \n
  • The core skimmer that will be injected into compromised merchant sites, responsible for detecting the checkout URL and loading the next component.<\/li>\n
  • A rogue iframe that will overlay the standard payment form meant to harvest the victim’s credit card data.<\/li>\n
  • The exfiltration mechanism for the stolen data that is sent back in encoded format.<\/li>\n<\/ul>\n
    \n
    \"\"<\/a><\/figure>\n<\/div>\n

    iframe trick<\/h3>\n

    Compromised shopping sites are injected with a single line of code that loads the remote piece of JavaScript. Its goal is to monitor the current page and load a second element (a malicious credit card iframe) when the current browser URL contains the Base64 encoded string Y2hlY2tvdXQ=<\/em> (checkout). <\/p>\n

    \n
    \"\"<\/a><\/figure>\n<\/div>\n

    The iframe is drawn above the standard payment form and looks identical to it, as the cybercriminals use the same cascading style sheet (CSS) from portal.apsclicktopay.com\/css\/build\/easypay.min.css<\/em>.<\/p>\n

    \n
    \"\"<\/a><\/figure>\n<\/div>\n

    Finally, the stolen data is exfiltrated, after which victims will receive an error message instructing them to reload the page. This may be because the form needs to be repopulated properly, without the iframe this time.<\/p>\n

    \n
    \"\"<\/a><\/figure>\n<\/div>\n

    Several Heroku-hosted skimmers found<\/h3>\n

    This is not the only instance of a credit card skimmer found on Heroku. We identified several others using the same naming convention for their script, all seemingly becoming active within the past week.<\/p>\n

    \n
    \n
    \n

    Another one on @heroku<\/a><\/p>\n

    hxxps:\/\/stark-gorge-44782.herokuapp[.]com\/integration.js. Fake form in an iframe. Data goes to hxxps:\/\/stark-gorge-44782.herokuapp[.]com\/config.php?id= pic.twitter.com\/Xa1F2z1Z1a<\/a><\/p>\n

    — Denis (@unmaskparasites) December 2, 2019<\/a><\/p><\/blockquote>\n