[AVAR 2019] Digital Skimmers: How Crooks are Spying on your Online Shopping

Over the past year, there has been a surge in highly targeted credit card skimming attacks hitting Ticketmaster, British Airways, Newegg and many more e-commerce sites of small and medium sized businesses that have been silently breached. These recent high-profile compromises made it apparent that digital skimmers are a major threat to not only online stores but also to shoppers.

In this presentation, we will cover into details the cycle of digital skimmers, which involves collaborating with bruteforcer malware services such as StealthWorker to acquire compromised websites. We begin with the methods used by attackers in compromising unsecure e-commerce websites and the malware named Stealthworker. This malware is a Content Management Systems (CMS) bruteforcer written in Golang and is catered to infect both Linux and Windows machines. The discovery of the malware was very timely since it was the time when attacks in e-commerce have been rising and was linked to a compromised e-commerce website that served a skimmer. We will take a look on how we are able to use automation for monitoring and gathering important information such as Stealthworker’s targets and as well as its continuous developments.

Next, we will share on the skimmers evolution and interesting campaigns including a recent one that we were able to get the logs of around 185,000 credit card details that were obtained by crooks that was operating for the past year.

We will discuss further on the skimmers, the malicious JavaScript responsible in stealing the payment information, focusing on the two main skimmers being sold underground: JS sniffer and Inter. We will share the different techniques used by the crooks to deceive unaware customers to input their credit card details and how this information is exfiltrated for each skimmer.

The talk will conclude on best practices how we can protect ourselves online and share means to mitigate this kind of attack.