Crafty Web Skimming Domain Spoofs “https”
Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site’s source code: “http[.]ps” (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).
This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida. Here’s what a portion of the login page looked like until earlier today when you right-clicked on the page and selected “view-source”:
Viewing the HTML source for the malicious link highlighted in the screenshot above reveals the obfuscated card-skimming code, a snippet of which is pictured below:
A simple search on the malicious domain “http[.]ps” at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.
The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.
Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.
“There is a subtle difference in the URI path loading both scripts,” Segura wrote. “The malicious one uses a clever way to turn the domain name http.ps (note the dot ‘.’ , extra ‘p’ and double slash ‘//’) into something that looks like ‘https://’. The threat actors are taking advantage of the fact that since Google Chrome version 76, the “https” scheme (and special-case subdomain “www”) is no longer shown to users.”
Segura says there are two ways e-commerce sites are being compromised here:
Malwarebytes assesses that the tricks this domain uses to obfuscate the malicious code are tied to various site-hacking malware campaigns dating back to 2016. By the way, an installation of Malwarebytes on a test machine used for this investigation blocked the http[.]ps script from loading on each of the compromised sites I found.
Finally, the “.ps” bit of the malicious skimming domain refers to the country code top-level-domain (ccTLD) for the State of Palestine. The domain was registered on Feb. 7.
If you run an e-commerce Web site, it would be a great idea to read up on leveraging Content Security Policy (CSP) response headers and Subresource Integrity security features offered by modern Web browsers. These offer mitigation options to prevent your site from being used in these card skimming attacks. Ryan Barnett at Akamai penned a comprehensive blog post on these approaches not long ago that is well worth reading [full disclosure: Akamai is an advertiser on this site].
I’ve been playing recently with privacy.com, which among other things offers a free service that allows users to generate a unique, one-time credit card number for each online transaction (privacy.com makes money from the interchange fees paid by merchants). The beauty of this approach is if your credit card details do get swiped by one of these site skimmers, you won’t have to change your credit card information at dozens of other sites and services you frequent.