By Source Defense
A notorious Chinese-speaking threat actor, known for skimming credit card numbers off e-commerce sites and point-of-sale service providers across Asia/Pacific, has expanded its target scope to North and Latin America.
Having successfully executed a series of attacks since at least May 2023, this adversary has exploited vulnerabilities in web applications, including a vulnerability previously used by China’s Hafnium group in cyber espionage campaigns. Their primary objective is to infiltrate payment pages on targeted sites and deploy malware to pilfer card numbers from online purchasers.
“Silent Skimmer,” as BlackBerry researchers have named this sophisticated campaign, is far from ordinary. Its technical complexity suggests the involvement of an advanced and experienced threat actor. While card-skimming attacks are not new, this campaign stands out due to its successful focus on vulnerabilities within third-party software components and plugins. By injecting card-skimming code into seemingly harmless elements like page view counters and visitor tracking widgets, the threat actors associated with Silent Skimmer have effectively compromised the payment card data of countless online shoppers worldwide.
To gain initial access to targeted websites, the operators of Silent Skimmer take advantage of opportunistic vulnerability exploitation in web-facing applications. Many of their targets are sites hosted on Microsoft’s Internet Information Services (IIS) Web server software. Among the vulnerabilities exploited by this group, CVE-2019-18935 has played a pivotal role. This critical remote code execution bug affects Telerik UI, a suite of components and web development tools provided by Progress Software. China’s Hafnium Group and Vietnam’s XE Group have also used this bug in their campaigns.
Upon gaining access, the threat actor uploads a malicious dynamic link library (DLL) to a specific directory if the target web service allows write permissions. The DLL initiates a sequence of steps that install credit and debit card skimming malware on the compromised website.
Silent Skimmer Attack Methodology
Once the malicious actor gains sufficient privileges, they rely on PowerShell utility scripts to check if specific files are in the victim’s “inetpub\wwwroot” directory, the default local path for websites in IIS.
To accomplish this, the attackers use three obfuscated JavaScript files: “compiled.js,” “jquery.hoverIntent.js,” and “checkout.js.” The selection of the file depends on the website’s configuration. If the website uses the jQuery library, the PowerShell script retrieves a modified version of “jquery.hoverIntent.js” from hxxp://157.254[.]194[.]232/, with appended malicious code, using the Invoke-WebRequest cmdlet. The attackers ensure that the replaced file’s LastWriteTime remains unchanged, preserving the original timestamp.
All three JavaScript files contain malicious code with the same intention: scraping payment details upon a specific event and exfiltrating the financial data. The only difference is that “compiled.js” leverages jQuery’s AJAX capabilities to make a POST request to the exfiltration site, while “jquery.hoverIntent.js” and “checkout.js” use the native XMLHttpRequest function in JavaScript. (AJAX stands for Asynchronous JavaScript and XML, and it pertains to the technique used to create interactive web applications with XML, HTML, CSS, and JavaScript.)
When the event listener is triggered, it calls a function that retrieves and processes the manually entered values in form fields, such as billing information and credit card details.
Defend Against Silent Skimmer With Source Defense
The Silent Skimmer campaign poses a significant danger to organizations globally, necessitating heightened vigilance in securing web applications and promptly patching vulnerabilities. By being aware of this evolving threat and taking proactive measures, organizations can help safeguard their customers’ sensitive payment card information from falling into the hands of malicious actors.
The Payment Card Industry Data Security Standard (PCI DSS) provides security requirements for any organization that handles payment card data. The standard requires implementing policies, procedures, and controls that protect payment card data. By using Source Defense, organizations can achieve compliance with PCI DSS Requirement 6.5, which requires addressing vulnerabilities within third-party applications and component integrations.
Source Defense is a leading provider of real-time, client-side security solutions designed to protect website users from third-party vulnerabilities. Source Defense addresses website supply-chain risks and protects users’ sensitive data by mitigating shared client-side vulnerabilities. Here’s how Source Defense can help:
– Source Defense mitigates the vulnerabilities exploited by Silent Skimmer Attacks by, at a minimum, monitoring for these malicious behaviors and then preventing these behaviors from executing in real time during every visitor session..
– Eliminate shared third-party site vulnerabilities, ensuring that the attacker cannot exploit security weaknesses in third-party plugins or scripts, thereby preventing the loading of malicious code.
Using Source Defense to protect web applications from third-party vulnerabilities is critical in defending against Silent Skimmer Attacks and meeting regulatory compliance requirements. It is essential for organizations to take necessary precautions to prevent such attacks. Regular website scans, security updates, and educating employees to recognize and report suspicious activities can protect organizations from such threats. Vigilance and adaptability are crucial in defending against such attacks.
Source Defense is the pioneer in preventing digital skimming, Magecart attacks, formjacking, and other client-side security threats. Our streamlined solution offers an easy, cost-effective, and hassle-free way to mitigate your risk. Don’t wait. Schedule a meeting with one of our experts today for a free analysis of your eCommerce site and take control of your security.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
