A campaign discovered by Malwarebytes Labs in mid-April has lifted credentials from a number of e-commerce portals.
Researchers have identified a credit-card skimming campaign that’s been active since mid-April that has a rather specific and unusual target: ASP.NET-based websites running on Microsoft Internet Information Services (IIS) servers.
The campaign seems to be exploiting an older version of ASP.NET, version 4.0.30319, which is no longer officially supported and contains multiple vulnerabilities, according to the report by Malwarebytes director of threat research Jerome Segura.
“This skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address,” he wrote in the report.
Credit-card skimmers do basically what their name suggests—they read and record credit-card details from otherwise legitimate transactions for use by threat actors. The actors behind these campaigns typically will put up these details bundled together for sale on dark-web forums.
Point-of-sale transactions—such as those at gas-station pumps — are a key target for these type of attacks, but basically any web-based commerce transaction in which someone uses a credit card to pay is vulnerable.
Indeed, as this type of scam has been around for some time, security researchers tend to look for it among its typical targets, such as e-commerce content management systems (CMS), such as Magento, and plugins like WooCommerce, Segura wrote.
“As defenders, we tend to focus a lot of our attention on the same platforms, in large part because most of the compromised websites we flag are built on the LAMP (Linux, Apache, MySQL and PHP) stack,” he wrote. “It’s not because those technologies are less secure, but simply because they are so widely adopted.”
While ASP.NET is not as popular as PHP, it’s still used among smaller businesses and personal blogs, including many sites that run shopping-cart applications, accounting for “a sizeable market share,” Segura said. It’s those shopping portals that attackers specifically targeted in the campaign, showing that any website that can be “subverted without too much effort is fair game,” he said.
“In some cases, we notice ‘accidental’ compromises, where some sites get hacked and injected even though they weren’t really the intended victims,” Segura wrote.
In the bulk of the new attacks observed, threat actors used several different styles to look for not only credit-card data but also passwords, although the latter functionality was incorrectly implemented, Segura said. The change-up in style made the campaign difficult for researchers to pinpoint at first, he said.
Once researchers identified the campaign and affected sites, they contacted the affected parties “in the hope that they would identify the breach and take appropriate actions to harden their infrastructure,” Segura said.
Magento Nr.1 in stark fragmentiertem Markt
Die Onlineshop-Software Magento ist die klare Nummer 1 in einem ansonsten stark fragmentierten Markt.
Das hat eine Erhebung der ExpertInnen der ecommerceDB ergeben.
Software für Online-Shops ist an deren besondere Bedürfnisse angepasst. Dazu zählen beispielsweise Datenbanken mit Produktdetails, Präsentationssysteme und Zahlungsschnittstellen. Für die Erhebung wurden rund 12.500 Online-Shops aus 50 Ländern untersucht – rund 29 Prozent nutzen Magento. An zweiter Stelle folgt mit deutlichem Abstand Shopify (8,4 Prozent) vor Shopware (7,8 Prozent). Der letztere Anbieter verdankt seine gute Platzierung indes vor allem seiner Popularität in Deutschland, das im Ranking mit über 3.000 Shops überproportional stark vertreten ist.