14/06/2021

How is Web Skimming Executed?

Web skimming attacks are essentially software supply chain attacks that can reach hundreds or thousands of websites using the exploited third-party web application.

Since third-party HTML/JavaScript code is delivered to the website from a completely different repository that the website owner does not have any control over (and can’t possibly monitor directly), hackers target these very third-party web servers. This gives the attacker unauthorized access to all third-party libraries. It’s then all about injecting the skimming code into one of the existing JavaScript files and hiding it.

Now, when a website user/customer opens the website in a browser or a mobile device, the malicious code gets downloaded to the user’s browser along with the legitimate third-party code. Since the malicious code is downloaded from the third-party servers, the website owner does not have any logs or indications that show the existence of the malicious code or even something suspicious is happening.

After the payload is executed, the script starts harvesting payment card numbers and personal information of any user data being entered and sends it to the cybercriminals, which is later sold on the dark web. The most common targets – checkout and payment pages on websites. To make matters worse, web skimming exploits often continue to linger for long periods of time before they are discovered by the website owner.

Here are just a couple of “scary” web skimming techniques used recently:

  • The Gocgle Campaign – Security researchers exposed the Gocgle campaign in 2020, which has essentially been active starting late 2019, just like the COVID-19 pandemic. This malicious campaign has been tailored around Google products like G-Analytics and uses the uncanny naming similarity to trick users and security teams alike. This skimmer is probably still active on hundreds of websites.
  • Pipka – We can’t possibly continue without mentioning the Pipka exploit, probably the most notorious JavaScript skimmer in recent memory, which was exposed by the Visa Payment Fraud Disruption (PFD) team in late 2019. Why is it so dangerous? This stealthy skimmer has the dangerous ability of removing itself from the HTML code after the execution was complete. A true CISO’s nightmare.
Discover and prevent it with Reflectiz. Contact us for a demo

Subscribe to our Blog

Get the latest Cyber Security news and content