Cyber criminals are attempting to steal the personal details of online shoppers without being spotted by disguising credit card skimmers behind fake content delivery networks (CDNs), in a new technique uncovered and described by Malwarebytes researcher Jérôme Segura, who identified suspicious code lurking on the website of a popular French boutique.
“Sometimes, what looks like a CDN [content delivery network] may turn out to be anything but,” said Segura. “Using lookalike domains is nothing new among malware authors. One trend we see a fair bit with web skimmers in particular is domains that mimic Google Analytics. Practically all websites use this service for their ranking and statistics, so it makes for very credible copycats.
“The latest case we caught uses two different domains pretending to be a CDN,” he said. “While typically the second piece of the infrastructure is used for data exfiltration, it only acts as an intermediary that attempts to hide the actual exfiltration server.
“Oddly, the crooks decided to use a local web server exposed to the internet via the free ngrok service to collect the stolen data. This combination of tricks and technologies shows us that fraudsters can devise very customised schemes in an attempt to evade detection,” said Segura.
The compromised e-commerce site contained code that to the naked eye appeared to be merely a jQuery library loaded from a third-party CDN. Both would seem to be legitimate, but on closer inspection it revealed some inconsistencies: notably a field looking for a credit card number, which should not exist for such a plugin, suggesting it may in fact be a skimmer.
Segura checked an archived copy of the site and compared it with the code on the live version, and found that a few weeks earlier, the script had not been present, meaning it was either added recently by the site owner or injected by attackers.
The script works by checking for the current URL in the user’s browser address bar, and if it matches with the store’s checkout page, it would begin collecting form data, such as names, addresses, emails, phone numbers and credit card information.
Once collected, the skimmer exfiltrates data to another location, although Segura actually found this to be an intermediary – a simple redirect revealed the actual destination, a custom ngrok server. Ngrok is a free service that exposes local servers to the public internet – legitimate uses include testing websites and mobile apps without deploying them, or running personal cloud services from home.
Malwarebytes said this was clearly an attempt by the cyber criminals responsible to mask their activity and widen the small window of opportunity they would have had before the exploit was spotted and stopped.
“We caught this campaign early on, and at the time only a handful of sites had been injected with the skimmer,” said Segura. “We reported it to the affected parties while also making sure Malwarebytes users were protected against it.
“While these breaches hurt the reputation of online merchants, customers also suffer the consequences of a hack. Not only do they have to go through the hassle of getting new credit cards, their identities are stolen as well, opening the door to future phishing attacks and impersonation attempts,” he said.
