"There is nothing new that is not old."
Technological progress does not stand still, and neither do fraud methods. Not long ago, a report was published by Akamai about a new technique for skimming. Skimming, where it all started, and what new fraudsters have invented will be discussed in our article.
Magecart: What Kind of Skimming Is That?
Skimming is a fraudulent technique where criminals steal information from bank cards. In the early stages, criminals would install specialized card readers and overlay keypads on bank terminals to later clone the cards. Skimmers come in two types: some gather information from various users, while others immediately transmit card data to fraudsters through a radio channel or via an embedded SIM card over cellular networks.
However, with the advancement of technology, this type of fraud has shifted to the Internet. Criminals inject malicious code into websites, typically on payment processing pages or other areas where users enter sensitive information, such as bank card details. Subsequently, when visitors enter their details on infected pages, criminals intercept this information. This technique is known as Magecart.
Attackers seek out susceptible payment processing websites and insert malicious code into payment processing pages or other pages where customers enter bank card information. When information is entered, the malicious code intercepts it and transfers it to a remote server.
Magecart has carried out several high-profile attacks on well-known e-commerce sites and third-party payment providers. The stolen data is usually sold on the underground market or used for fraudulent transactions. Regular security audits, website software updates, suspicious activity monitoring, and using security precautions security measures to identify and thwart such assaults are all part of the defense against Magecart attacks. There are known incidents in history involving companies such as Macy's, Puma, and British Airways.
What's up with the 404?
The skimmer penetrates the program by introducing a script featuring a code snippet that closely mirrors Meta Pixel, a renowned service for monitoring Facebook visitor activity, and incorporates several supplementary lines of code. This technique enables skimmers to avoid detection by conducting static analysis by external scanners and researchers. The extra lines of seemingly innocuous code make it easier to submit a PNG image with a Base64 encoded message attached at the end. This string is later retrieved, decoded, and converted into a JavaScript code snippet, which is executed by the loader code snippet.
Based on this approach, a new method has been developed that involves opening the icon page via an absolute path, which provides a direct link to a "Not Found" page. This page then accesses a compromised section of code, which is then commented out with a special key, hiding the malicious code inside.
This can happen when a site uses a third-party payment service that implements a payment form in an external iframe or on an external page. To bypass such scenarios, an attacker creates a fake form very similar to the original payment form and overlays it. When the user enters data into the fake form, an error appears, the fake form is hidden, the original payment form is opened, and the user is prompted to re-enter payment data. In this way, the old method of fraud and the new one are combined.
How do you protect yourself?
Buyers should pay attention to the address bar of the resource where the payment is made and uncharacteristic errors in the input form. Since thieves can utilize an active card with an empty balance for other fraudulent schemes, like money laundering, you immediately reissue the card and move all available funds to a savings or savings account as soon as you think you have been the victim of fraud. The cybercrime unit should pay attention to the new scheme and test systems for penetration.