Web-Skimming Attack Compromise Dozens of Sites

By   ISBuzz Team
Writer , Information Security Buzz | Dec 08, 2022 02:03 am PST

An online Web-Skimming effort that has been taking place for at least one year is found by Jscrambler. According to the security provider, the operation has hacked over 40 e-commerce sites. A gang known as “Group X” is behind the effort and is accused of transferring stolen card information to a website in Russia. The hackers broke into the targeted website using a supply-chain strategy. According to Jscrambler, the hackers took use of Cockpit, a JavaScript package that provides free online marketing and analytics services. The service was reportedly suspended in December 2014, some years ago.

According to Jscrambler, webmasters frequently keep outdated files like these on their websites. Due to their lack of understanding of third-party code, according to the security firm. Threat actors may exploit dead links that are still retained in libraries. Security teams frequently lack access to the 3rd code that is running on their websites. Making it impossible for them to determine if it is compromised. In this instance, the hackers got hold of the domain name that was previously owned by and hosting the library, and they utilized it to build a skim script that used the same URL. The compromising of the f o websites resulted from the domain being reregistered and reconfigured.

Attack Technique

They purchased the domain name that was used to hos. The library and utilized it to deliver a Web-Skimming script at the same URL. Over 40 e-commerce websites were compromised by attackers who were able to deploy malicious code by re-registering the expired domain.

Vendor Claimed

The vendor claimed that failing to take down outdated libraries like these from websites frequently results in vulnerable dead links. Poor security procedures and a lack of understanding of third-party code are to blame, it was claimed.

According to Jscrambler, “the majority of security teams don’t have access into this third-party code that is running on their website. They don’t know if it’s functioning as it should or improperly — whether mistakenly or deliberately.”

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
December 8, 2022 11:07 am

These attacks demonstrate why website and app administrators need to stay on top of all the third-party extensions and libraries they use. Cockpit, the vulnerable library, was discontinued 8 years ago. Failure to remove it is a result of either negligence or ignorance. Developers and admins need to put in place policies to regularly check for unused or deprecated third-party code.

End users have no way to discern whether a website contains card skimming code. Card skimmers are inserted into the code of otherwise trusted websites, so your web browser assumes the skimmer is supposed to be there. The only defense is to use a temporary virtual credit card number so your card can’t be used in future fraudulent transactions. You can request a virtual credit card number from most credit card issuers, or through some payment apps like Apple Pay.

Last edited 9 months ago by Paul Bischoff

Recent Posts

Would love your thoughts, please comment.x