Malicious Skimmer Code Piggybacks on Other Hackers' CodeResearchers Uncover the Tale of 2 Skimmers
Malwarebytes researchers have uncovered unusual payment card skimming code designed to harvest data that is already being stolen by other hackers on a website.
"We have seen threat actors - and skimmers in particular - compete before, but not exactly in the same manner," Jérôme Segura, director of threat intelligence at Malwarebytes.
Malwarebytes found this unusual second layer of malicious code in the online checkout function of the French site for Costway, which sells furniture and appliances in North America and Europe.
Costway appears to be one of many e-commerce sites around the world that is still running an older version of Adobe's Magento software despite warnings from the software company to move to an updated version of the content management systems, the Malwarebytes report notes.
A Tale Of 2 Skimmers
Costway’s French, German, Spanish and British sites appear to have been targeted by the first skimmer in the fall of 2020, when other companies’ sites running Magneto 1 software were also compromised, according to the report.
At some point, a second skimmer was injected onto the already hacked French Costway site from a domain called "securityxx[.]top." The second skimmer did not seem to have the same level of access to the compromised platform as the first one, which might be one reason for the piggyback approach,” the researchers say.
"It's possible that the two threat actors' level of access to e-commerce sites differs," according to Malwarebytes. The initial hack in the fall of 2020 exploited a core vulnerability that granted them root access, while it appears the second hack perhaps can only perform specific types of injections. “If that is the case, this would explain why they simply leave the fake form alone and grab credentials from it," the report states.
Even when Costway upgraded to a new platform, the hackers wielding the second skimmer were prepared with other code that would compromise that content management system as well, the report notes.
"The [second] skimmer creates its own form fields which closely resembles the legitimate ones from the Adyen payments platform that Costway uses," according to Malwarebytes. "Visually, only a very small style change (font size) gives it away, but there are more significant implications under the hood."
From there, the hackers could continue to harvest payment card data, the report says.
A spokesperson for Costway was not immediately available for comment.
The increase in competition among cybercriminal gangs may be why one group decided to piggyback on the work of another, according to the report.
"The skimming space today is different than it was a few years ago," Segura says. "More threat actors are ranging from mere copycats to advanced attackers. Ultimately, that means we're going to see increased competition and specific measures put in place to guarantee exclusivity."
And while the Costway site is the only known example of this approach so far, Segura suspects other sites have been targeted and compromised with the same code.