Attackers take over expired domain to deliver web skimming scripts
Attackers have taken over at least one expired domain that used to host a popular JavaScript library and used it to deliver web skimming scripts to a number of e-commerce sites.
“The victim websites had years to remove the dead link that was leveraged by attackers but didn’t – likely due to a lack of visibility about third-party scripts running on their websites and poor security hygiene,” Jscrambler researchers noted.
A new attack technique
The attackers acquired the domain tracker.web-cockpit[.]jp, which belonged to a free web marketing and analytics service that was discontinued in December 2014.
The original JavaScript library was called Cockpit and it was replaced with a malicious web skimming script. Jscrambler researchers told Help Net Security that the attackers made no attempt to make it look like the original script or disguise it in any other way.
The old Cockpit script was loaded by another script placed on e-commerce websites. Depending on the referrer header value, which indentifies the webpage from where it is fetched, the domain would serve either no script, a default skimmer, or a specific skimmer.
The default skimmer would run on the Order and Register webpages and would grab any input, select and textarea elements available on the page, but also inject a credit card submission form to grab more info.
The specific skimmer was a custom fake version of the legitimate Google Analytics script, capable of grabbing email and payment card info.
“By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce websites. Data collected from the sites was encoded, encrypted and then sent to an exfiltration server based in Russia,” the researchers found.
Cleaning up
The malicious domain is still up and though it’s returning an empty page, the favicon (website logo in the page title) contains a copy of one of the skimmers.
The researchers notified the owners of the sites affected by this attack. Some – but not all! – removed the script fetching the skimmers.
“One of the e-commerce sites was aware that the third-party script was compromised. Instead of removing it, they added a small notice to the payment page,” they noted, and posited that the site owners perhaps could not remove the offending script because they are using a website generator service or a Content Management System (CMS) that includes it by default.
The warning on the payment page (Source: Scrambler)
In other spotted attacks, the crooks compromised the e-commerce sites and injected the Google Analytics lookalike script into their Checkout page.
The researchers told Help Net Security that they do not have sufficient evidence to attribute any of these attacks to a known Magecart group.