Payment Card-Skimming Campaign Now Targeting Websites in North America

  /     /     /  
Publicated : 23/11/2024   Category : security


Payment Card-Skimming Campaign Now Targeting Websites in North America


Silent Skimmer is a technically complex campaign that has successfully targeted online businesses in the Asia Pacific region for over a year.



A Chinese-speaking threat actor that has been skimming credit card numbers off ecommerce sites and point-of-sale service providers in the Asia/Pacific region for more than a year has begun aiming at similar targets in North and Latin America as well.
In a series of attacks since at least May 2023, the adversary has exploited vulnerabilities in Web applications — including one vulnerability that Chinas Hafnium group has used in cyber espionage campaigns — to gain access to sites belonging to organizations across multiple industry sectors. The primary goal in these attacks is to gain access to the payment pages on these sites and drop malware for stealing card numbers belonging to people making online purchases.
Researchers from BlackBerry
discovered the campaign
and are tracking it as Silent Skimmer. In a blog post this week, they described the campaign as technically complex and one that might well involve an advanced or experienced threat actor.
Card-skimming attacks are certainly not new. A loose collection of hacking groups that researchers have been tracking as
Magecart
have for years, in fact, been successfully stealing payment card data belonging to hundreds of millions of online shoppers around the world. In many of these attacks, the threat actors have targeted vulnerabilities in third-party software components and plug-ins — such as page view counters and visitor tracking widgets — and injected card skimming code into them.
Hundreds of thousands of e-commerce sites have been victim to Magecart attacks in recent years, including
British Airways
,
Ticketmaster
, Newegg, and numerous others.
The operator of the Silent Skimmer campaign has been opportunistically exploiting vulnerabilities in Web-facing applications to gain initial access to websites. Many of the sites the threat actor was attacking were hosted on Microsofts Internet Information Services (IIS) Web server software. One of the vulnerabilities the threat actor has exploited in its campaign is CVE-2019-18935, a critical remote code execution bug in Telerik UI, a suite of components and Web development tools from Progress Software. Among the groups that have used the bug in their campaigns is Chinas
Hafnium group
and Vietnams XE Group.
If the target Web service has write permissions enabled, the exploit uploads a malicious dynamic link library (DLL) to a specific directory on it. The DLL then initiates a sequence of steps that results in malware for skimming credit and debit card data being installed on the website.
BlackBerry researchers have observed the threat actor using multiple separate tools for privilege escalation, as well as a remote access tool, a remote code execution exploit, a malware stager/downloader, and a tool for post-exploit activities. As is often the case with malware campaigns these days, the operator of Silent Skimmer has relied on a slew of legitimate open source tools, binaries, and scripts in many of its attacks.
One indication that the threat actor behind Silent Skimmer is technically skilled is how it has readjusted its command-and-control (C2) infrastructure based on the geolocation of the victims. For the campaign, the threat actor has used virtual private servers (VPS) — often on Microsofts Azure platform — as C2 servers for newly acquitted targets. Each C2 server is typically online for less than a week and is often located in the same region or country as the victim. For Canadian victims, for example, BlackBerry found the threat actor set up a VPS in Canada, while for US victims, the VPS servers were usually within the same state as the victim.
The goal behind the tactic is to ensure that traffic to and from the compromised servers blends in with normal traffic, BlackBerry said.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Payment Card-Skimming Campaign Now Targeting Websites in North America