A massive campaign skimmingallegedly carried out by a Chinese-speaking hacker, is terrorizing thenorthern America e Latina for more than one year.
In the last period, specifically, it seems that the theft of numbers of the credit cards through e-Commerce, are increasing between Canada and the United States. In fact, since May 2023, also thanks to a vulnerability in web applications, this skimming attack has taken hold in the northern part of the continent, targeting unfortunate victims during online purchases.
The researchers of BlackBerry have discovered the campaign and are monitoring it under the code name “Silent Skimmer“. In a blog post this week, such specialists described the operation as technically complex and which could involve a very experienced threat actor.
However, it must be said that skimming attacks are certainly nothing new. A large group of hacker groups that researchers have been tracking for years as Magecartin fact, successfully steals payment card data belonging to hundreds of millions of online shoppers around the world.
In many of these attacks, threat actors targeted vulnerabilities in third-party software components and plug-ins and inserted code useful for data theft. Hundreds of thousands of e-commerce sites have been victims of Magecart attacks in recent years, including British Airways, Ticketmaster, Newegg and many others.
Skimming attacks against e-Commerce exploit a vulnerability in Microsoft’s IIS servers
Campaign operator Silent Skimmer opportunistically exploited vulnerabilities in Web applications to gain initial access to e-Commerce and similar sites. Many of these are hosted on the server software Web Internet Information Services (IIS) Of Microsoft.
One of the vulnerabilities that the threat actor exploited in his campaign is CVE-2019-18935a critical remote code execution bug in the user interface of Telerika suite of web development tools and components from Progress Software. Among the groups that have used the bug in their campaigns is the Chinese group Hafnium and the Vietnamese group known as CAR.
If write permissions are enabled on the target web service, theexploit load one DLL malicious in a specific directory. The DLL then initiates a sequence of steps that leads to installation on the website malware per lo skimming.
Although this operation does not appear to be active on the European continent at the moment, security experts remain vigilant to monitor the evolution of this campaign.
