Web Skimming
Web skimming, often referred to as "Magecart attacks" or "e-skimming," is a sophisticated form of cybercrime specifically designed to steal sensitive user information from legitimate websites. It primarily targets e-commerce sites and other online platforms where users input personal and financial data, such as credit card numbers, billing addresses, login credentials, and personal identification information (PII).
Here's a detailed breakdown of how web skimming works in the context of cybersecurity:
1. The Goal: The primary objective of web skimming is to covertly capture data that users enter into online forms, particularly during the checkout process on e-commerce sites. This stolen data is then used for fraudulent transactions, identity theft, or sold on dark web markets.
2. Attack Mechanisms and How it Works:
Target Identification: Attackers begin by identifying vulnerable websites. They often focus on e-commerce sites due to the high volume of payment transactions that occur on these sites. They look for weaknesses in:
The website's code.
Its content management system (CMS) (e.g., Magento, WordPress, PrestaShop).
Third-party services or plugins used by the website (e.g., analytics scripts, advertising integrations, payment gateways, video hosting services).
The network of a supplier connected to the site (supply chain attacks).
Gaining Access: Once a vulnerability is identified, attackers exploit it to gain unauthorized access. This can involve:
Exploiting known software vulnerabilities (including zero-day vulnerabilities).
Brute-forcing administrative credentials.
Phishing campaigns target employees to obtain credentials.
Compromising cloud storage containers (like Amazon S3 buckets) or GitHub repositories with misconfigured permissions or exposed API keys.
Injection of Malicious Code (Skimmer): After gaining access, attackers inject malicious JavaScript code, commonly referred to as a "skimmer," into the website's pages. This code is often:
Highly Obfuscated: To avoid detection by blending in with legitimate scripts or appearing benign.
Dynamically Loaded: It may only activate under specific conditions, such as when a user accesses a checkout page or interacts with specific form fields.
Hidden: It can be embedded in various places, including image files (using PHP calls), 404 error pages, or even within legitimate third-party scripts.
Data Capture: When a user visits the compromised website and enters their information into a form (e.g., credit card details), the malicious script activates. It "listens" for user input and captures the data in real-time as it's typed, even if the user doesn't submit the form. This is often referred to as "formjacking."
Data Exfiltration: The captured data is then secretly packaged and transmitted to a server controlled by the attackers. This transmission is frequently disguised to look like legitimate network traffic or is encrypted to evade detection by security measures.
Persistence and Evasion: Advanced skimmers may include mechanisms to maintain persistence on the infected site, spread laterally to other parts of the web infrastructure, or incorporate anti-debugging techniques to hinder analysis.
3. Key Characteristics:
Client-Side Attack: Unlike many attacks that target server-side vulnerabilities, web skimming executes in the user's browser, making it harder to detect using traditional server-side security measures.
Stealthy Operation: The attack is often invisible to both the user and the website owner, operating in the background without altering the website's appearance or functionality.
Targeted Forms: It specifically targets forms where users enter sensitive personal or financial information.
4. Real-World Examples:
Some of the most well-known web skimming attacks, often attributed to the "Magecart" cybercriminal groups, include:
British Airways (2018): Over 380,000 credit card details were stolen from customers using the website and mobile app. The attackers modified existing JavaScript to skim payment information.
Ticketmaster (2018): A third-party vendor used by Ticketmaster was compromised, leading to the injection of malicious JavaScript into the checkout page and the theft of customer payment information.
Newegg: This e-commerce giant was also a victim, with Magecart injecting malicious scripts to steal payment details.
Supply Chain Attacks: Attackers are increasingly targeting service providers (e.g., advertising platforms, analytics services) that supply code to numerous e-commerce merchants. By compromising one such provider, they can inject skimmers into numerous client websites simultaneously.
5. Impact:
The consequences of web skimming attacks are severe:
For Individuals: Financial loss, credit card fraud, identity theft.
For Businesses: Damaged reputation, loss of customer trust, significant financial and legal repercussions (e.g., GDPR fines).
6. Prevention:
Defending against web skimming requires a multi-layered approach:
Keep Software Updated: Regularly update and patch all website software, including CMS, plugins, and third-party libraries, to address known vulnerabilities.
Use Secure Connections (HTTPS): Encrypt traffic between the user's browser and the website to prevent interception.
Implement Web Application Firewalls (WAFs): WAFs can help block malicious traffic and detect suspicious behavior.
Regular Security Audits and Penetration Testing: Proactively identify and fix vulnerabilities.
Client-Side Security Solutions: Use tools that monitor and analyze client-side scripts for suspicious behavior and unauthorized data exfiltration.
Content Security Policy (CSP): Implement CSP to define which domains are allowed to serve JavaScript and other resources, blocking unauthorized scripts.
Subresource Integrity (SRI): Use SRI to verify that resources fetched from third-party servers have not been tampered with.
Monitor Website Codebase: Regularly review the website's code for any unauthorized changes.
Secure Third-Party Integrations: Carefully vet and monitor the security of all third-party services and plugins.
PCI DSS Compliance: For e-commerce sites, adhering to PCI DSS requirements is crucial, especially the newer versions that address client-side security.
Use Hosted Checkout Solutions: Consider using fully hosted checkout solutions, where customers enter their payment details on a separate page hosted by a secure payment processor.
ThreatNG is a comprehensive solution designed to manage external attack surface, protect against digital risks, and provide security ratings. It offers a robust set of capabilities that directly address the challenges of web skimming by providing external discovery, in-depth external assessment, continuous monitoring, detailed reporting, powerful investigation modules, and extensive intelligence repositories.
External Discovery: ThreatNG performs purely external, unauthenticated discovery, meaning it gathers information without needing any internal connectors or credentials. This outside-in perspective is crucial for identifying assets and potential vulnerabilities that an attacker could see and exploit. For web skimming, this capability would uncover all web applications, subdomains, and associated cloud or SaaS services that an organization uses, which might be targeted for malicious code injection.
External Assessment: ThreatNG's external assessment capabilities are powerful in identifying susceptibilities that could be exploited in web skimming attacks:
Web Application Hijack Susceptibility: ThreatNG analyzes parts of a web application accessible from the outside world to identify potential entry points for attackers. This includes detailed domain intelligence. For web skimming, this means ThreatNG can assess how easily an attacker could inject malicious scripts into your web application by identifying misconfigurations or vulnerabilities on exposed web pages.
Subdomain Takeover Susceptibility: ThreatNG evaluates this by analyzing a website's subdomains, DNS records, and SSL certificate statuses. A compromised subdomain can be used to host malicious skimming code or redirect users to phishing sites, making this assessment vital.
BEC & Phishing Susceptibility: This is derived from sentiment and financials, domain intelligence (including domain name permutations and Web3 domains), and dark web presence (compromised credentials). While not a direct web-skimming vector, phishing can be a precursor, as attackers may use stolen credentials (obtained through phishing) to gain initial access to a web server and plant skimmers. ThreatNG's ability to detect compromised credentials on the dark web helps identify if an organization's employee credentials, which could be used to access web servers, have been exposed.
Data Leak Susceptibility: This assessment is based on cloud and SaaS exposure, dark web presence (compromised credentials), and domain intelligence. If sensitive code or credentials used for website management are exposed in cloud services or code repositories, it increases the risk of a web skimming attack.
Cyber Risk Exposure: ThreatNG considers certificates, subdomain headers, vulnerabilities, and sensitive ports to determine cyber risk exposure. An exposed sensitive port or a vulnerability in a web server could be an entry point for an attacker to inject skimming code.
Code Secret Exposure: ThreatNG discovers code repositories and investigates their contents for sensitive data. This includes a wide range of access credentials like API keys (Stripe, Google OAuth, AWS, etc.), access tokens (Facebook), generic credentials (username and password in URI), cloud credentials (AWS Access Key ID, Secret Access Key), and security credentials (cryptographic private keys). Exposed secrets in code repositories, such as those for payment gateways or content management systems, could be used by attackers to directly inject web skimming code into a website's backend or frontend. For example, if an AWS Access Key ID and Secret Access Key are exposed, an attacker could potentially access S3 buckets hosting website assets and inject malicious JavaScript directly.
Cloud and SaaS Exposure: ThreatNG evaluates sanctioned and unsanctioned cloud services and SaaS solutions, as well as open exposed cloud buckets. Many e-commerce sites use cloud-hosted resources or SaaS platforms for various functionalities. If these are misconfigured or exposed, they can become vectors for web skimming. For instance, an open, exposed AWS S3 bucket could contain static website files that an attacker modifies to include skimming code. ThreatNG identifies the presence of various SaaS implementations, such as Salesforce, Slack, Splunk, and ServiceNow, which, if compromised, could potentially be used to deliver or manage web skimmers if an organization uses them for content delivery or web development.
Mobile App Exposure: ThreatNG evaluates how exposed an organization's mobile apps are by discovering them in marketplaces and checking for sensitive contents like access credentials (e.g., Amazon AWS Access Key ID, APIs, Artifactory API Token, GitHub Access Token, Google API Key, Stripe API Key), security credentials (e.g., PGP private key block, RSA Private Key, SSH DSA Private Key), and platform-specific identifiers (e.g., Amazon AWS S3 Bucket, Firebase, GitHub). While primarily focused on mobile apps, the discovery of exposed APIs or other credentials could indicate broader security issues that might also impact web applications, making them susceptible to skimming attacks if shared credentials are used.
Reporting: ThreatNG offers a diverse range of reports, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, U.S. SEC Filings, and External GRC Assessment Mappings (e.g., PCI DSS). For web skimming, prioritized reports would highlight critical vulnerabilities that could lead to script injection, such as exposed administrative interfaces or misconfigured cloud buckets, enabling organizations to focus their resources on the most pressing risks. The inventory reports would help identify all web assets that need protection.
Continuous Monitoring: ThreatNG continuously monitors an organization's external attack surface, digital risk, and security ratings. This constant monitoring is vital for web skimming detection, as attackers often inject skimmers stealthily, and new vulnerabilities can emerge or configurations can change. Ongoing monitoring ensures that any new or re-emerging skimming risks are quickly identified.
Investigation Modules: ThreatNG offers powerful investigation modules to deep dive into discovered risks:
Domain Intelligence: This module provides a domain overview (including Microsoft Entra Identification and Bug Bounty Programs ), DNS intelligence (domain record analysis, domain name permutations, Web3 domains ), email intelligence (security presence and harvested emails ), WHOIS intelligence, and subdomain intelligence.
Subdomain Intelligence: This is particularly relevant, as it identifies HTTP responses, analyzes headers (including security and deprecated headers), server technologies, cloud hosting, e-commerce platforms, CMS, and content identification (e.g., Admin Pages, APIs, Development Environments, and JavaScript). For example, if ThreatNG identifies an outdated e-commerce platform or a publicly accessible development environment, these could be prime targets for skimmer injection. It also detects sensitive ports, such as SQL Server, MySQL, and PostgreSQL, which, if exposed, could lead to database compromises and subsequently, web skimming.
Sensitive Code Exposure: This module discovers public code repositories and uncovers digital risks within them, including various access credentials, security credentials, and configuration files. For example, if an organization accidentally exposes a GitHub repository containing
Stripe API KeyorPayPal Braintree Access Token, an attacker could use these to impersonate the organization's payment system or directly inject skimming code by gaining access to related platforms.Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, cloud service impersonations, and open exposed cloud buckets (AWS, Azure, GCP). It also lists various SaaS implementations. ThreatNG would flag an open AWS S3 bucket that contains website assets, as an attacker could modify this to inject a web skimmer. Similarly, if an organization uses a vulnerable or misconfigured content management SaaS solution identified by ThreatNG, it becomes a potential target for attack.
Search Engine Exploitation: This helps users investigate an organization’s susceptibility to exposing sensitive information via search engines, including errors, potential sensitive information, and susceptible files. Discovering publicly indexed
robots.txtfiles that expose shopping cart directories or API directories could guide an attacker to sensitive areas for web skimming.Archived Web Pages: This module analyzes archived web pages for sensitive content like API files, JavaScript files, login pages, and emails. If a previous version of a website archived by ThreatNG contains a vulnerability or sensitive information that was later removed, it could still provide attackers with insights for a web skimming attack.
Intelligence Repositories (DarCache): ThreatNG's intelligence repositories provide crucial context for understanding and mitigating web skimming risks:
Compromised Credentials (DarCache Rupture): This repository tracks compromised credentials. If administrative credentials for a website or its associated services are found here, it's a direct indicator of potential compromise leading to web skimming.
Vulnerabilities (DarCache Vulnerability): This includes NVD, EPSS, KEV (Known Exploited Vulnerabilities), and verified Proof-of-Concept (PoC) exploits. This intelligence helps prioritize vulnerabilities that are actively being exploited and have a higher likelihood of being weaponized for attacks, such as web skimming. For example, if a CVE related to a commonly used e-commerce platform has a verified PoC exploit in DarCache eXploit, ThreatNG would highlight this as a critical risk.
Synergies with Complementary Solutions:
While ThreatNG provides an all-in-one solution, it can synergize effectively with other security tools to enhance a holistic cybersecurity posture against web skimming:
Security Information and Event Management (SIEM) Systems: ThreatNG's continuous monitoring and detailed reports on external attack surface changes, digital risks, and compromised credentials can be integrated into a SIEM system. This enables correlation with internal logs and events, providing a more comprehensive view of potential web skimming attempts that may involve both external reconnaissance and internal system access. For example, suppose ThreatNG identifies a new, exposed sensitive port on a web server, and the SIEM detects unusual login attempts on that server. In that case, the combined intelligence strengthens the detection of a targeted attack.
Endpoint Detection and Response (EDR) Solutions: ThreatNG's focus on external risks complements EDR by providing early warnings of potential compromise. If ThreatNG identifies an exposed sensitive code repository containing credentials, and those credentials are later used in an attack that bypasses perimeter defenses, an EDR solution on an employee's machine might detect suspicious activity related to that credential use, such as an attempt to access internal web servers or development environments.
Incident Response Platforms: When ThreatNG identifies a high-severity web application hijack susceptibility or a discovered compromised credential on the dark web, this information can automatically trigger playbooks within an incident response platform. This ensures a rapid and coordinated response, such as initiating forensic analysis on the affected web server or forcing password resets for exposed accounts, thereby minimizing the window of opportunity for a web skimmer.
Vulnerability Management Platforms: ThreatNG's DarCache Vulnerability provides a wealth of information, including NVD, EPSS, KEV, and PoC exploits. This can enhance a traditional vulnerability management platform by prioritizing external-facing vulnerabilities that are highly likely to be exploited in attacks such as web skimming. For instance, if ThreatNG identifies an actively exploited vulnerability (KEV) in a web application's underlying technology stack, this information can be imported into a vulnerability management platform to prioritize its remediation over other, less critical vulnerabilities.
Examples of ThreatNG Helping with Web Skimming:
Detecting Hidden Skimmers: ThreatNG's continuous monitoring would detect unauthorized changes to website scripts or the presence of new, obfuscated JavaScript files, even if they are dynamically loaded only on checkout pages. This might appear as a change in the "Web Application Hijack Susceptibility" score.
Identifying Vulnerable Third-Party Scripts: By analyzing subdomain intelligence, ThreatNG can identify third-party scripts or integrations used on a website. If a vulnerability is found in one of these (e.g., an outdated analytics script), ThreatNG would flag it as a potential entry point for a web skimmer.
Pinpointing Exposed Credentials: If ThreatNG's Code Secret Exposure uncovers a developer's API key for a payment gateway that has been accidentally committed to a public GitHub repository, it immediately highlights a critical risk. This API key could be used by an attacker to directly inject malicious code or alter payment processing, leading to web skimming.
Prioritizing Patches: ThreatNG's DarCache Vulnerability identifies known exploited vulnerabilities (KEV) relevant to an organization's technology stack. If an e-commerce platform has a KEV that allows for remote code execution, ThreatNG would prioritize this for immediate patching, directly mitigating a common web skimming vector.
Uncovering Supply Chain Risks: ThreatNG's Supply Chain & Third-Party Exposure capabilities analyze vendor technologies from DNS and subdomains. If a compromised advertising network or analytics provider, which supplies code to the organization's website, is identified, ThreatNG would highlight this supply chain risk, as these are common vectors for web skimming.
By leveraging its comprehensive external perspective, ThreatNG provides deep insights into an organization's susceptibility to web skimming attacks, enabling proactive detection, assessment, and mitigation.
