Credit card skimmers are a constant source of headaches for e-commerce websites, online merchants, financial institutions, and their customers alike. Skimming is a lucrative source of income for threat actors. One such credit card skimming service is gaining popularity among low-skilled threat actors.
Diving into details
Threat intel provider DomainTools discovered the new skimmer-as-a-service Caramel that is operated by CaramelCorp, a Russian cybercrime organization. The service is being sold only to Russian-speaking hackers and uses a vetting process to reject those who are inexperienced. The kit includes a skimmer script, a campaign management panel, and deployment instructions.
The lifetime subscription is being sold for $2,000 and offers anti-detection solutions, code upgrades, and complete customer care support to Russian-speaking hackers.
A campaign administration panel enables the malware operator to keep an eye on infected e-stores and manage gateways for stolen data reception.
Why this matters
Credit card skimming has a high success rate and requires less effort as compared to complicated attack vectors, leading to a rise in such activity. Following are the factors adding to the growth of this trend among cybercriminals.
Ecommerce websites are often vulnerable, easy to detect all at once, and lack dedicated security teams.
Abusing and dumping stolen data is easier and cheaper than other forms of fraud and can build the foundation for targeted attacks in the future.
Skimming attacks can adapt to counter defenses with anti-analysis and sophisticated obfuscation tactics.
The bottom line
Continual marketing and development have made Caramel a popular fixture in the underground market. While card skimming campaigns are nothing new, this skimmer-as-a-service boasts extensive features that remove the barrier to conducting large-scale campaigns. This indicates that skimming campaigns may witness a rise in the future and the way to stay safe is by implementing charging limits and preferring online payment systems instead of cards.