Threat Research

A Beginner’s Guide to Hunting Web-Based Credit Card Skimmers

Securonix
A Beginner’s Guide to Hunting Web-Based Credit Card Skimmers

This blog post explores approaches for hunting credit card skimmers, which are malicious scripts used to steal payment information from e-commerce websites. It outlines the methods of attack, tools for detection, and shares key findings from the author’s investigations into known skimmer campaigns. The piece also highlights indicators of compromise (IoCs) related to the skimming attacks discussed. Affected: e-commerce websites, payment processing systems

Keypoints :

  • Web-based credit card skimmers inject malicious code into e-commerce sites to steal payment details.
  • Attackers exploit vulnerabilities or steal admin credentials to modify website code.
  • Skimmers can activate on checkout pages to capture credit card information.
  • Tools like Validin, Urlscan.io, and CyberChef aid in identifying compromised sites and analyzing skimmer code.
  • Key indicators of a skimmer include specific strings in injected scripts like “crounch123”.
  • WebSocket communications are frequently used by skimmers to exfiltrate data back to attackers.
  • Several new IoCs were identified, enabling further investigation into compromised domains.
  • The analysis of injected code reveals methods for deceiving and capturing user input.

MITRE Techniques :

  • Initial Access (T1190) – Attackers exploit vulnerabilities in e-commerce platforms to gain access.
  • Persistence (T1132) – Scripts are embedded within compromised websites to maintain presence.
  • Credential Access (T1078) – Admin credentials are stolen to enable further code modification.
  • Exfiltration Over Web Service (T1041) – Sensitive data such as payment information is sent via WebSocket to attacker-controlled servers.
  • Execution (T1203) – Malicious scripts execute in the user’s browser when visiting compromised sites.

Indicator of Compromise :

  • [Domain] malpedia[. ]com
  • [Domain] validin[. ]io
  • [Domain] wordpress-redirect.biz
  • [WebSocket] wss://wordpress-redirect.biz/assets?source
  • [WebSocket] wss://jsmanifestgls.com/refresh

Full Story: https://gi7w0rm.medium.com/a-beginner-s-guide-to-hunting-web-based-credit-card-skimmers-c820aeee87d6

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint