A campaign found by Malwarebytes Labs in mid-April has stolen credentials from a number of e-commerce portals.
Researchers have found a credit-card skimming campaign active since mid-April that has a specific & unusual target: ASP.NET-based websites running on Microsoft Internet Information Services (IIS) servers.
Malwarebytes
Research from Malwarebytes Labs recently uncovered the campaign, which already has compromised at least 12 websites that range from sports organizations, health & community associations, & a credit union, all via a malicious code injected into existing JavaScript libraries on each of the sites.
The campaign seems to be exploiting an older version of ASP.NET, version 4.0.30319, which is no longer officially supported & contains multiple vulnerabilities, according to the report by Malwarebytes Director of Threat Research, Jerome Segura.
Skimming
“This skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat player using a ProtonMail email address,” he wrote in the report.
Mostly, attackers were seen injecting the skimming code directly into the compromised JavaScript library of the affected site, though in some cases it was loaded remotely, he mentioned in the report. In the latter case, attackers loaded the skimmer from the remote domain thxrq[.]com.
Threat Players
Credit-card skimmers do basically what their name suggests, they read & record credit-card details from otherwise legitimate transactions for use by threat players. The actors behind these campaigns typically will put up these details bundled together for sale on dark-web forums.
Point-of-sale transaction, such as those at gas-station pumps are a key target for these type of attacks, but any web-based commerce transaction in which someone uses a credit card to pay is vulnerable.
Scam
This type of scam has been around for a while, & security researchers tend to look for it among its typical targets, such as e-commerce content management systems (CMS), such as Magento, & plugins like WooCommerce, Segura wrote.
“As defenders, we tend to focus a lot of our attention on the same platforms, in large part because most of the compromised websites we flag are built on the LAMP (Linux, Apache, MySQL & PHP) stack,” he wrote. “It’s not because those technologies are less secure, but simply because they are so widely adopted.”
Shopping-Cart Applications
While ASP.NET is not as popular as PHP, it is still used among smaller businesses & personal blogs, including many sites that run shopping-cart applications, accounting for “a sizeable market share,” Segura commented. It is those shopping portals that attackers specifically targeted in the campaign, showing that any website that can be “subverted without too much effort is fair game,” he further explained.
“In some cases, we notice ‘accidental’ compromises, where some sites get hacked & injected even though they weren’t really the intended victims,” Segura observed.
Credit-Card Data
In the majority of the new attacks seen, threat players used several different styles to look for not only credit-card data but also passwords, although the latter was incorrectly implemented, Segura commented. The change-up in style made the campaign difficult for researchers to pinpoint at first, he outlined.
Once researchers identified the campaign & affected sites, they contacted the affected parties “in the hope that they would identify the breach and take appropriate actions to harden their infrastructure,” Segura concluded.
