Skimming Attacks Take New Shape as the Popularity of JavaScript Sniffer Threats Grows

The rise in the popularity of online shopping has not only ramped up the businesses of retailers across the world but has also raised security concerns of online shoppers. The infamous Magecart threat actor group, which enjoys the top rank in this aspect, continues to drive such attacks with improved malware and tool kits. The success rate of these attacks has gone to such an extent that an array of new digital skimming threat actor groups have emerged over the past few years.

What’s trending?

  • A new report from Threatpost reveals that there are several threat actor groups that are continually developing and advertising customized payment sniffers over the past six months.
  • These updated malicious JavaScript codes that contain multiple capabilities, along with security enhancements, are readily available for purchase or rent on underground forums for sophisticated actors to script kiddies.
  • One such Russian-speaking threat actor making waves is called ‘Billar’ and is the creator of a payment card sniffer called ‘Mr. SNIFFA’.
  • Advertised for a price of about $3,000, the sniffer package possesses the ability to defeat brute-force and DDoS attacks.
  • Another group of bad actors, which go by the name of Sochi, are developers of a JS sniffer called ‘Inter’ - which is active on forums such as Exploit, Verified, and Club2CRD, since December 2018.

A new digital skimming group runs rampant

  • Along with the rising demand for malicious JScript sniffer code variants, a new group named UltraRank has also emerged in the digital skimming threat landscape.
  • Group-IB research highlights that the group was previously associated with Magecart Groups 2, 5, and 12.
  • The group is responsible for compromising nearly 700 websites and service providers over the last five years using JavaScript sniffer malware.   
  • Unlike other JS sniffer operators that gain monetary benefits by making fraudulent purchases and reselling the stolen card data to third-party vendors, UltraRank has set up its own card shop called ValidCC to sell the stolen data. 

Attack techniques also evolve

Digital skimming attackers have also evolved when it comes to their attack techniques.
  • One Magecart group used a digital skimming toolkit called Saturn to compromise the Braintree-hosted payment form on a European e-commerce site. The toolkit had enabled the attackers to bypass the iframe protection used on the website.
  • A new credit card skimming campaign, detected in August 2020, made use of homoglyph techniques to trick users into visiting websites that used fraudulent domain names and were hard to be noticed by naked eyes.
  • In a different incident, Magecart group 9 had used image file metadata loaded by e-commerce websites to hide their malicious code from security checks.

Final words

The latest trends and attacks clearly indicate that card skimming attacks are here to stay for a long time. In addition to continuing to target payment process systems on vulnerable websites, digital skimming actors are likely to make extra profit by selling customized sniffers on different dark web forums.