{"id":17327,"date":"2020-01-02T09:10:09","date_gmt":"2020-01-02T17:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/02\/news-11063\/"},"modified":"2020-01-02T09:10:09","modified_gmt":"2020-01-02T17:10:09","slug":"news-11063","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/02\/news-11063\/","title":{"rendered":"New evasion techniques found in web skimmers"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Mon, 30 Dec 2019 22:25:06 +0000<\/strong><\/p>\n

For a number of years, criminals have been able to steal credit card details from unaware online shoppers without attracting too much attention. Few people in the security industry were talking about these credit card web skimmers, both server-side and client-side, before the latter became largely known as Magecart<\/a>.<\/p>\n

It took some major incidents, notably the Ticketmaster<\/a> and British Airways<\/a> breaches, to put this growing threat under the spotlight and finally raise awareness among online merchants and consumers.<\/p>\n

Under pressure from greater scrutiny, in particular from a number of security researchers, some threat actors started to evolve their craft. This is a natural reaction, not limited to web skimmers, but one that applies to any malicious enterprise, cyber or not. <\/p>\n

One such recent evolution includes two new evasion techniques adapted for client-side web skimmers used to conceal their fraudulent activity. <\/p>\n

Steganography: a picture worth a thousand secrets<\/h3>\n

Steganography has long been used by malware authors as a way to hide data within legitimate-looking images. Back in 2014, we described a new variant of the Zeus banking Trojan called ZeusVM<\/a>, which was hiding its configuration data within a picture of a beautiful sunset.<\/p>\n

In the context of website security, hiding malicious code in picture files is a great way to go undetected. Take, for example, an e-commerce website and the various components it loads\u2014many of these will be logos, product images, and so forth.<\/p>\n

On December 26, @AffableKraut<\/a> disclosed<\/a> the first publicly-documented steganography-based credit card skimmer. To the naked eye, the image looks like a typical free shipping ribbon that you commonly see on shopping sites.<\/p>\n

\"\"<\/a>
Figure 1: A free shipping logo found on a shopping site<\/figcaption><\/figure>\n

The only indication that there might be something amiss is the fact that the file is malformed, with additional data found after the normal end of the the file.<\/p>\n

To better understand what and where this data might be, we can look at the image in a hex editor. The File Interchange Format (JFIF<\/a>) for the JPEG encoding has a specific structure. We used Ange Albertini’s diagram<\/a> as a guide.<\/p>\n

\"\"
Figure 2: Looking at the image structure from the beginning of the file<\/figcaption><\/figure>\n

So far, the image meets its requirements, and there does not appear to be anything special about it. However, if we remember what we saw in Figure 1, extra data was added after the final segment, which has the marker FF D9.<\/p>\n

\"\"<\/a>
Figure 3: Looking at the structure of the image, after the normal end of file<\/figcaption><\/figure>\n

Now we can see JavaScript code beginning immediately after the end of file marker. Looking at some of its strings such as onestepcheckout<\/em> or authorizenet<\/em>, we can deduce immediately that this is the credit-card skimming code.<\/p>\n

As it happens, the majority of web crawlers and scanners will concentrate on HTML and JavaScript files, and often ignore media files, which tend to be large and slow down processing. What better place to sneak in some code?<\/p>\n

Several years ago, there were major malvertising campaigns<\/a> redirecting victims to the Angler exploit kit, one of the most advanced toolkits leveraged to infect users with malware. One threat actor used a similar technique by concealing fingerprinting code within a fake GIF image<\/a>. At the time, this was the cr\u00e8me de la cr\u00e8me<\/em> of malvertising techniques.<\/p>\n

In a sense, any file loaded directly or from a third party should be deemed suspicious. @AffableKraut links to an open source file scanning system called Strelka<\/a> that may be helpful for defenders in detecting anomalous files.<\/p>\n

\"\"<\/a>
Figure 4: Malwarebytes blocking a skimmer using steganography<\/figcaption><\/figure>\n

WebSockets instead of HTTP<\/h3>\n

WebSocket is a communication protocol that allows streams of data to be exchanged between a client and server over a single TCP connection. Therefore, WebSockets are different than the more commonly-known HTTP protocol, which consists of requests and responses to a server from a client.<\/p>\n

\"\"<\/a>
Figure 5: Comparing WebSocket and HTTP protocols<\/figcaption><\/figure>\n

While WebSockets are advantageous for real-time data transfer, this is not the reason threat actors may be interested in them. For their particular use case, WebSockets provide a more covert way to exchange data than typical HTTP requests-responses.<\/p>\n

With web skimmers, there are certain artifacts we look for:<\/p>\n