Cyber criminals have been stealing the card details of users for years. They have been successful at card skimming, both at server-side and client-side, without attracting much attention. However, some notable breaches in past few years put them under the scrutiny of security researchers. To tackle the situation, the threat actors have employed new evasion techniques to evolve their craft.
In order to safeguard yourself from web skimming attacks, it is important to be aware of following new evasion techniques adopted by the cyber criminals:
- Steganography: Steganography is the technique of hiding data directly on the pixel value of an image in such a manner that the effect of data is not visible on the image. First case of using steganography to hide a malicious code was ‘ZeusVM’ in 2014. It was a Zeus banking Trojan that used a beautiful sunset image to hide its configuration data. The technique is now being used by web skimmers to trick the website security and users.A simple example may be of any ecommerce website. An e-commerce website loads numerous images such as logos, product images, offer images, etc. The web skimmers use these images (that attract user clicks such as free shipping banners) to embed their code. On studying the image properties, they may show a ‘Malformed’ message and additional data after normal end of the file. Threat actors use code snippets to load the fake images and parse the website’s JavaScript content via the slice() method.
It is an easy way to slide past the website security because the web crawlers and scanners tend to focus on HTML and JavaScript while ignoring media files. To protect yourself from skimming acts, scan the source file of any media files downloaded from third party sites.
- WebSockets Instead of HTTP: HTTP follows a request and response communication channel to a server and from a client. WebSockets, on the other hand, is a communication protocol that allows streams of data to be exchanged between a client and server over a single TCP connection. It allows a more covert way to exchange data as compared to HTTP. The web skimmers use a skimming code and data exfiltration to launch the attack. The code is obfuscated in the communication in a way that it is concealed from DOM. Once the code is run in the browser, it triggers client handshake request. The request is received by the server controlled by the cyber criminals which responds to it. This establishes the connection between victim client browser and malicious host server. Now the skimming code is downloaded on the victim system and run as JavaScript code.
Centex Technologies provide cyber & network security solutions for businesses. For more information on new evasion techniques followed by web skimmers, call Centex Technologies at (254) 213 – 4740.