What is credit card skimming?
Credit card skimming is a technique that consists of using malicious code installed on compromised merchant websites to steal credit card information sent by the website’s customers when they complete online payments.
To deploy it successfully, a few technical steps need to be done. First, the attacker needs to find a merchant website that is vulnerable to different attack techniques and then compromise it. Once the attacker has access to the website’s content, they need to add malicious code to steal the credit card information provided by the unsuspecting customers.
Skimmer as a service: Meet CaramelCorp
Cybercriminals nowadays sell almost any kind of service one might think of. This is where Russian-based credit card skimming service CaramelCorp comes in, as reported by DomainTools.
The threat actor has a significant cybercrime forum presence, screens prospective customers carefully and does not do business with non-Russian speakers. They also refuse to sell their services to inexperienced carders.
For people managing to deal with CaramelCorp, a lifetime subscription to their service is worth $2,000 USD.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
How the skimming service works
CaramelCorp guarantees, although this guarantee has not been verified, that it can bypass certain cybersecurity services from Akamai, CloudFlare and Incapsula, among others, according to DomainTools.
Caramel skimmer uses the setInterval() method, which is common to most other credit card skimmers. This method ensures data exfiltration even for partially completed form fields on the compromised website.
This is useful for cybercriminals, as even targets who decide not to purchase an item during the checkout process will still leak part of their payment data to the attackers.
CaramelCorp also mentions their skimmers can be deployed using a variety of file types to help evade detection.
A management panel allows for the monitoring and management of compromised online merchants. Performance tracking can also be done.
The management panel focuses on minimizing the attack surface by eliminating unnecessary code. A login panel provides access to the cybercriminals who bought the service (Figure A).
Data leak from CaramelCorp
The researchers found that CaramelCorp recommends a very simple method for deployment: Accessing a CMS administration panel from a compromised website and manually adding a simple script (Figure B).
The fraudsters included warnings for behaviors to avoid when deploying as well as recommendations on where to acquire domain names, SSL certificates and VPS servers to run the skimming infrastructure.
How to detect the threat
While the threat is very difficult to detect, it is not impossible.
Permanent web content integrity checks should be done. Content filtering and file monitoring security solutions should be deployed in order to detect any static file change, especially for files containing code like .JS, .PHP and .ASPX files. It is advised that websites monitor all static files for any breaches that could occur.
Newly created files and modified files should be checked immediately if it does not result from a legitimate process within the company.
The web server software itself should always be patched and up-to-date in order to avoid any possible initial compromise from attackers.
It might also be a good idea to hunt for any file on the web server that would contain credit card information, as some skimmers do store the stolen data locally before sending them to the controller. Such detection of credit card information could be done using YARA, for example.
Finally, all usual security measures to protect the web infrastructure should be applied in order to avoid having the website being compromised in the first place. Authentication on any panel or administrator part of the website should only be accessible using multi-factor authentication, and all default credentials, if any, should be removed. Security solutions detecting malware and file threats should also be deployed.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.