Credit card skimming just became much easier for cybercriminals, who can now buy ready-to-go skimming services online. Read more about this threat and how to detect it on merchant sites.
What is credit card skimming?
Credit card skimming is a technique that consists of using malicious code installed on compromised merchant websites to steal credit card information sent by the website’s customers when they complete online payments.
To deploy it successfully, a few technical steps need to be done. First, the attacker needs to find a merchant website that is vulnerable to different attack techniques and then compromise it. Once the attacker has access to the website’s content, they need to add malicious code to steal the credit card information provided by the unsuspecting customers.
Most skimmers use JavaScript, with their added code sitting quietly in the middle of legitimate code from the website waiting patiently for credit card information. The information is then stored locally in a location only known to the attacker so it can be collected
Skimmer as a service: Meet CaramelCorp
Cybercriminals nowadays sell almost any kind of service one might think of. This is where Russian-based credit card skimming service CaramelCorp comes in, as reported by DomainTools.
The threat actor has a significant cybercrime forum presence, screens prospective customers carefully and does not do business with non-Russian speakers. They also refuse to sell their services to inexperienced carders.
For people managing to deal with CaramelCorp, a lifetime subscription to their service is worth $2,000 USD.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How the skimming service works
Deployment
CaramelCorp guarantees, although this guarantee has not been verified, that it can bypass certain cybersecurity services from Akamai, CloudFlare and Incapsula, among others, according to DomainTools.
The service provides easily deployable gateways to receive the skimmed data and the capabilities to monitor them for downtime. A quickstart guide on JavaScript methods for targeting several commerce content management systems is also provided.
Collection
Caramel skimmer uses the setInterval() method, which is common to most other credit card skimmers. This method ensures data exfiltration even for partially completed form fields on the compromised website.
This is useful for cybercriminals, as even targets who decide not to purchase an item during the checkout process will still leak part of their payment data to the attackers.
CaramelCorp also mentions their skimmers can be deployed using a variety of file types to help evade detection.
Administration
A management panel allows for the monitoring and management of compromised online merchants. Performance tracking can also be done.
The management panel focuses on minimizing the attack surface by eliminating unnecessary code. A login panel provides access to the cybercriminals who bought the service (Figure A).
Figure A
Anti-detection measures
The Javascript used by the skimmer is obfuscated and undetected by most scanners. To achieve this goal, CaramelCorp recommends a software known as the JavaScript Obfuscator Tool, which is already popular in the cybercriminal community.
Data leak from CaramelCorp
DomainTools managed to obtain access to data stored on the CaramelCorp server by finding and accessing open directories containing several elements, such as parts of Javascript code, source map files and CaramelCorp quick-start guide.
The researchers found that CaramelCorp recommends a very simple method for deployment: Accessing a CMS administration panel from a compromised website and manually adding a simple script (Figure B).
Figure B
DomainTools noted a significant amount of encoded Russian text in the source map and Javascript files discovered. Translation of those texts revealed a how-to guide on deploying the Caramel skimmer.
The fraudsters included warnings for behaviors to avoid when deploying as well as recommendations on where to acquire domain names, SSL certificates and VPS servers to run the skimming infrastructure.
How to detect the threat
While the threat is very difficult to detect, it is not impossible.
Permanent web content integrity checks should be done. Content filtering and file monitoring security solutions should be deployed in order to detect any static file change, especially for files containing code like .JS, .PHP and .ASPX files. It is advised that websites monitor all static files for any breaches that could occur.
Newly created files and modified files should be checked immediately if it does not result from a legitimate process within the company.
The web server software itself should always be patched and up-to-date in order to avoid any possible initial compromise from attackers.
It might also be a good idea to hunt for any file on the web server that would contain credit card information, as some skimmers do store the stolen data locally before sending them to the controller. Such detection of credit card information could be done using YARA, for example.
Finally, all usual security measures to protect the web infrastructure should be applied in order to avoid having the website being compromised in the first place. Authentication on any panel or administrator part of the website should only be accessible using multi-factor authentication, and all default credentials, if any, should be removed. Security solutions detecting malware and file threats should also be deployed.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
