Credit card skimming off e-commerce’s sites is so prevalent that two groups of the same cyber gang encountered each other in the same operation, however one has come out worse for wear.
The two groups encountered each other on the Umbro Brasil website, a popular sportswear brand and site where customers can purchases sporting gear. Both groups hacked the site and injected their own credit card skimming code into it.
However, in a sign of just how ruthless cybercriminals can be, one group’s skimming code is designed to sabotage the code belonging to any competitors.
Both groups are using MageCart affiliated web-skimming code and tactics, leading researchers to believe that they are part of the same gang.
Everything one group of hackers did in this attack looks like a normal day out for the threat actors, but Malwarebytes researcher Willem de Groot identified a cheeky twist in the second attackers code.
Essentially the second group’s code was designed to detect if another skimmer was operating on the website. If it successfully finds another active skimmer it starts to intercept the card details been captured by its competitor in order to change the last digit of each credit card number.
This act serves two functions, firstly the more sophisticate group has tainted the credit details of its rival, while also ensuring that what they stole is the only valid version of the credit card details.
Secondly, because these card details are no longer legitimate their sale on the blackmarket will result in brand damage for the group trying to sell them.
Malwarebytes Lsbs researcher Jérôme Segura commented in a blog post that: “By tampering with the data, the second skimmer can send an invalid but almost correct credit card number to the competing skimmer. Because only a small part of it was changed, it will most likely pass validation tests and go on sale on black markets. Buyers will eventually realize their purchased credit cards are not working and will not trust that seller again.”
RiskIQ and industry risk intelligence experts Flashpoint commented in a report on the group that: “Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use.”
Then a second skimmer was detected on the website that was loaded from g-statistic[.]com, this skimmer however was very much obfuscated.
“The following code snippet shows how certain domain names trigger this mechanism. Here we recognize bootstrap-js[.]com, which is the first skimmer. Then, a random integer ranging from 0 to 9 is generated for later use. Finally, the credit card number is stripped of its last digit and the previously generated random number is used,” notes Jérôme Segura.
The fact that two skimmers were active on the site and that one was sophisticated enough to mess with its competitor goes to show how serious and prevalent the issue of online card skimming is.
With the busy online shopping events of black Friday and cyber Monday just days away IT departments need to be extra vigilant for any unusual activity on their websites. While consumers need to be in a position to react quickly when, not if, their credit cards become compromised due to an online skimming campaign.