Credit-Card Skimmer Has Unlikely Target: Microsoft ASP.NET Sites

point of sale malware

A campaign discovered by Malwarebytes Labs in mid-April has lifted credentials from a number of e-commerce portals.

Researchers have identified a credit-card skimming campaign that’s been active since mid-April that has a rather specific and unusual target: ASP.NET-based websites running on Microsoft Internet Information Services (IIS) servers.

New research from Malwarebytes Labs recently uncovered the campaign, which already has compromised at least a dozen websites that range from sports organizations, health and community associations, and a credit union — all via a malicious code injected into existing JavaScript libraries on each of the sites.

The campaign seems to be exploiting an older version of ASP.NET, version 4.0.30319, which is no longer officially supported and contains multiple vulnerabilities, according to the report by Malwarebytes director of threat research Jerome Segura.

“This skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address,” he wrote in the report.

In most cases, attackers were seen injecting the skimming code directly into the compromised JavaScript library of the affected site, though in some cases it was loaded remotely, he said in the report. In the latter instance, attackers loaded the skimmer from the remote domain thxrq[.]com.

Credit-card skimmers do basically what their name suggests—they read and record credit-card details from otherwise legitimate transactions for use by threat actors. The actors behind these campaigns typically will put up these details bundled together for sale on dark-web forums.

Point-of-sale transactions—such as those at gas-station pumps — are a key target for these type of attacks, but basically any web-based commerce transaction in which someone uses a credit card to pay is vulnerable.

Indeed, as this type of scam has been around for some time, security researchers tend to look for it among its typical targets, such as e-commerce content management systems (CMS), such as Magento, and plugins like WooCommerce, Segura wrote.

“As defenders, we tend to focus a lot of our attention on the same platforms, in large part because most of the compromised websites we flag are built on the LAMP (Linux, Apache, MySQL and PHP) stack,” he wrote. “It’s not because those technologies are less secure, but simply because they are so widely adopted.”

While ASP.NET is not as popular as PHP, it’s still used among smaller businesses and personal blogs, including many sites that run shopping-cart applications, accounting for “a sizeable market share,” Segura said. It’s those shopping portals that attackers specifically targeted in the campaign, showing that any website that can be “subverted without too much effort is fair game,” he said.

“In some cases, we notice ‘accidental’ compromises, where some sites get hacked and injected even though they weren’t really the intended victims,” Segura wrote.

In the bulk of the new attacks observed, threat actors used several different styles to look for not only credit-card data but also passwords, although the latter functionality was incorrectly implemented, Segura said. The change-up in style made the campaign difficult for researchers to pinpoint at first, he said.

Once researchers identified the campaign and affected sites, they contacted the affected parties “in the hope that they would identify the breach and take appropriate actions to harden their infrastructure,” Segura said.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.




Suggested articles


Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.