Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection.
The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in an image file, using this trick the code is executed when a website’s index page is loaded.
The term web skimming refers to the criminal practice to harvest payment information of visitors of a website during checkout. Crooks use to exploit vulnerabilities in e-commerce platforms and CMSs to inject the skimming script into the page of the e-store. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.
Microsoft also observed attackers masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.
The attackers place a Base64-encoded string inside a spoofed Google Tag Manager code. This string decoded to trafficapps[.]business/data[.]php?p=form.
Experts noticed that the attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) using HTTPS.
“Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,” Microsoft concludes.
(SecurityAffairs – hacking, web skimming attacks)