Microsoft research reveals the changing face of skimming

Grace Macej 25 May 2022

From exploitation to obfuscation, attackers are flipping the script on what we know about web skimming campaigns.

In a recent report, Microsoft’s 365 Defender Research Team reveals new obfuscation techniques that are changing the face of skimming. By observing recent web skimming campaigns, Microsoft’s security researchers have discovered the latest ways attackers are delivering and hiding skimming scripts.

In the past, attackers typically relied on vulnerability exploitation as their main tactic, conspicuously injecting malicious scripts into e-commerce platforms, like PrestaShop and WordPress, as well as content management systems. New tactics, however, flip the script with obfuscation techniques that confound site administrators and developers.

The report revealed three examples of new skimming techniques:

  • Malicious images
  • Encoded host URLs
  • Spoofed scripts

Malicious images

In one skimming campaign, Microsoft saw two malicious image files uploaded to a Magento-hosted server. This was a means to obfuscate the skimming script by first encoding it in PHP, then in the image file. One of the malicious images with obfuscated script was a favicon, the other a typical web image file.

Encoded host URLs

Another new obfuscation technique discovered by Microsoft’s team involves injecting malicious JavaScript into a webpage. Only once the keyword “checkout” is detected on the target webpage URL is the malicious script activated, fetching the skimming script from the attacker’s domain and then loading a fake checkout form.

Spoofed scripts

Similarly, Microsoft saw web applications become compromised by skimming scripts that attackers had disguised as Google Analytics and Meta Pixel scripts — complete with JavaScript file names to foil detectors.

The changing face of skimming

The goal of web skimming campaigns is to extract customers’ sensitive payment information (for example, credit card information) when they’re shopping online — particularly, when they’re on the checkout page. So when attackers launch web skimming campaigns, they generally target e-commerce platforms and CSMs, such as Magento, PrestaShop, and WordPress. These are popular targets because their ease of use and portability with third-party plugins make them frequent picks for online shops.

Unfortunately, attackers have become skilled craftsmen at taking advantage of the vulnerabilities of these platforms to gain access and inject their skimming scripts—and these third-party plugins have long been one of their main points of entry. In this common method, attackers use vulnerabilities in third-party plugins, themes, or ad networks to inject malicious scripts without the site owner’s knowledge.

So how are things changing?

Before, most malicious JavaScripts injected by attackers were fairly conspicuous. Now, the evidence revealed by Microsoft’s research team shows that attackers are changing their approach to web skimming campaigns by employing newfound obfuscation techniques that confuse and evade developers.

From exploitation to obfuscation

Consider the example of the malicious images, specifically, the favicon. Here, the attackers are doing something different when it comes to injecting their scripts. Rather than focusing on the loading of external scripts, they’re targeting the server side, which allows them to effectively skirt traditional browser protections, such as the Content Security Policy (CSP).

Spoofing scripts like Google Analytics and Meta Pixel is another novel way to circumvent traditional means of detection. Under this guise, attackers can gain entry by appearing non-malicious and fooling site administrators and developers.

With these new campaigns, it’s clear that the tides are turning when it comes to skimming.

No longer are attackers relying on simply exploiting vulnerabilities. Now, they’re using highly sophisticated techniques to cloak their skimming scripts in fake legitimacy and confound developers.

Attackers have changed — now, we need to

Web skimming campaigns are bad news for everyone.

For customers, it can mean stolen payment information and even compromised credentials. And for organizations who fall victim to web skimming campaigns, they can not only suffer financial losses but also bruise their reputation and lose customer trust.

As Microsoft’s new report proves, attackers are only gaining traction in their quest to deceive site administrators and developers and prey on vulnerable customers with new obfuscation techniques that evade conventional means of defense.

What can be done to stay one step ahead of the attackers?

What organizations can do

To protect their customer base, their reputation, and their finances, organizations need more comprehensive security measures that can compete with crafty attackers. But even as they keep up with modern techniques, it’s still important to keep all the bases covered.

This starts with ensuring that all downloaded third-party plugins only come from credible sources. E-commerce platforms and CSMs should also always be up to date with the latest security patches. On top of that, site administrators should regularly patrol their web assets for any signs of compromised or suspicious-looking content.

What customers can do

As organizations ramp up their security precautions, customers should also consider what they can do to protect themselves from new web skimming techniques.

For one, they should always double-check that their browser sessions are secure. This is especially important once they reach the checkout page while shopping, as this is where most web skimming attackers set their traps. And as always, customers should be on the lookout for suspicious-looking pop-up windows, particularly if those pop-up windows ask for payment details.