loader gif

Operators revamp the IceID trojan to steal payment card data from e-commerce sites

Operators revamp the IceID trojan to steal payment card data from e-commerce sites
  • A new technique named two-step injection attack is used to target the e-commerce vendors in the US.
  • A commercial inject panel known as Yummba’s ATSEngine is abused to deploy injection and collect stolen data from victims.

The operators behind the IceID banking trojan have revamped the operations of the malware and are now using it to target the e-commerce vendors in the US. In the campaign, the malware grabs the credentials and payment card details of victims instead of their banking information.

According to Limor Kessem, Global Executive Security Advisor of IBM Security, this e-tailer attacks began in November 2018 and is executed using a new technique named two-step injection attack - designed to steal access credentials and payment card data from victims. This new attack model was discovered by IBM Security during its on-going analysis of IceID.

About the IceID trojan

The IceID first came to the light in September 2017. It features resembles with other banking trojans such as TrickBot and Gozi. It typically targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites. The malware’s authors primarily use the IceID to perform cyber espionage against organizations in the US and Canada.

Among the other capabilities, IceID can also be used to launch different types of attack. This includes “web injection, redirection and proxy redirection of all victim traffic through a port it listens on.”

Researchers claim that the distribution and infection tactics of the malware are not new.

“It has infected users via the Emotet Trojan since 2017 and in test campaigns launched in mid-2018, also via TrickBot. Emotet has been among the most notable malicious services catering to elite cybercrime groups from Eastern Europe over the past two years,” said researchers at IBM Security in a blog post.

ATSEngine panel leveraged for the attack

The attackers use a commercial inject panel known as Yummba’s ATSEngine to deploy injection and collect stolen data from victims.

“A web-based control panel, ATSEngine works from an attack/injection server, not from the malware’s command-and-control (C&C) server. It allows the attacker to orchestrate the injection process, update injections on the attack server with agility and speed, parse stolen data, and manage the operation of fraudulent transactions,” researchers added.

Researchers noted that the only specific brands in the e-commerce sphere are targeted in the attack. The webinjection attack is deployed by injecting malicious JavaScript and HTML code into the infected user’s browser. Once these targeted sites are opened, the malicious code downloads the IceID trojan and automatically grabs the victims’ payment card details.

loader gif