In a recent blogpost, Microsoft revealed that its security researchers have recently observed that web skimming campaigns now employ various obfuscation techniques to deliver and hide skimming scripts during online credit card use.
“It’s a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions,” said the post on Microsoft.com. Some of the latest skimming HTML and JavaScript files uploaded in VirusTotal have very low detection rates, it added.
Web skimming typically targets platforms like Magento, PrestaShop, and WordPress, which are popular choices for online shops because of their ease of use and portability with third-party plugins. Unfortunately, these platforms and plugins come with vulnerabilities that the attackers have constantly attempted to leverage. One notable web skimming campaign/group is Magecart, which gained media coverage over the years for affecting thousands of websites, including several popular brands.
In one of the campaigns observed by Microsoft researchers, attackers obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded inside an image file—a likely attempt to leverage PHP calls when a website’s index page is loaded. “Recently, we’ve also seen compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts even had anti-debugging mechanisms, in that they first checked if the browser’s developer tools were open,” the post explains.
Point to be noted: while this is a real threat, one of the reasons behind this research seems to be the potential it provides Microsoft to push its security tools, especially Microsoft 365 Defender, which receives a hearty endorsement (of course) in the post. “Given the scale of web skimming campaigns and the impact they have on organizations and their customers, a comprehensive security solution is needed to detect and block this threat. Microsoft 365 Defender provides a coordinated defense that’s enriched by our visibility into attacker infrastructure and continuous monitoring of the threat landscape,” says Microsoft (Mint Lounge has not verified these claims independently or tested the efficiency of other security systems against this threat).
However, the company has provided detailed analysis of this threat in the post, including technical details of the recent skimming campaigns’ obfuscation techniques and also offered steps for defenders and users to protect themselves and their organizations from such attacks.