Cert2Connect
Focus Supply Chain Security

How is web skimming carried out?

Web skimming attacks are essentially supply chain attacks on software that can reach hundreds or thousands of websites using the exploited third-party web application. Since third-party HTML/JavaScript code is delivered to the website from an entirely different repository that the website owner has no control over (and cannot directly check), hackers target these same third-party web servers. This gives the attacker unauthorized access to all third-party libraries. The goal is then to inject and hide the skimming code in one of the existing JavaScript files.

When a website user/customer now opens the website in a browser or a mobile device, the malicious code is downloaded along with the legitimate third-party code to the user’s browser. Since the malicious code is downloaded from the third-party servers, the website owner has no logs or indications showing the existence of the malicious code or that anything suspicious is happening.

After the payload is executed, the script starts collecting credit card numbers and personal information from all entered user data and sends it to the cybercriminals, who later sell it on the dark web. The most common targets are checkout and payment pages on websites. To make matters worse, web skimming exploits often remain undetected for a long time by the website owner.

Here are just a few “scary” web skimming techniques that have been used recently:

The Google Campaign: Security researchers uncovered the Gocgle campaign in 2020, which was essentially active from the end of 2019, just like the COVID-19 pandemic. This malicious campaign is tailored to Google products such as G-Analytics and uses the creepy naming convention to deceive both users and security teams. This skimmer is likely still active on hundreds of websites.

Pipka: We cannot go on without mentioning the Pipka exploit, probably the most notorious JavaScript skimmer in recent history, revealed by the Visa Payment Fraud Disruption (PFD) team in late 2019. Why is it so dangerous? This inconspicuous skimmer has the dangerous ability to remove itself from the HTML code after execution. The nightmare of a real CISO.

Cert2Connect
Overview

WILT U WETEN HOE DIT RISICO
UITGEBANNEN KAN WORDEN?

Wij helpen je graag. Indien gewenst geven we graag een presentatie of demo van onze oplossingsaanpak. Je vindt ons ook regelmatig op beurzen en events. Volg de evenementenpagina op deze site of meld je aan via de contactpagina voor onze nieuwsbrief.

Maak een afspraak