Researchers at Akamai, a well-known cybersecurity company, have discovered a new skimmer-type attack that is hitting several online stores with a new technique to extract data.
The skimmer is a device capable of reading the magnetic stripe data of badges and credit cards. The characteristics of the skimmer mean that it is used more and more often to commit criminal activities to the detriment of credit card holders and users of ATMs.
In this case it is a software skimmer, which allows you to read the data during online payments.
"Online stores are increasingly outsourcing their payment processes to third party vendors, which means they don't manage credit card data within their store. Taking advantage of this situation, the attacker creates a fake webpage of the store. payment by credit card and injects it into the checkout page of the application. This way the attacker is able to obtain the card details ", reads the post published by Akamai.
Hackers use a software skimmer to inject a loader into the store's web page source code. Once executed, a malicious JavaScript file is requested from the criminals' server. Once the script has been loaded from the external server, the skimmer stores its generated session-id and the client's IP address in the browser's LocalStorage.
Having obtained the user's IP address, they use a WebSocket connection to extract sensitive information from the pages concerning the checkout, login and registration pages of a new account.
The distinctive aspect of this attack is the use of WebSocket, instead of HTML tags or XHR requests, to extract information from the compromised site which makes this technique more effective. Using WebSockets allows you to bypass many CSP policies.
Experts have noted that for those stores that handle the payment process through a third party vendor, the skimmer creates a fake credit card form on the page before being redirected to the third party vendor.
"Akamai sees new client-side attacks on web applications, like this example, on an almost weekly basis. Traditional CSP-based approaches do not account for most of these types of attacks," the company concludes.
