Magecart Credit-Card Skimmer Adds Telegram as C2 Channel

magecart card skimmer telegram c2

In a rare move, the encrypted messaging service is being used to send stolen payment-card data from websites back to cybercriminals.

The e-commerce card-skimming landscape has a new wrinkle: Cybercriminals affiliated with the Magecart collective are using encrypted messaging service Telegram as a channel for sending stolen credit-card information back to its command-and-control (C2) servers.

That’s according to researchers who pointed out that card-skimmers typically harvest data from online checkout pages and then send the information back to a domain or IP address controlled by the attackers. To collect and transmit the information from these scripts, threat actors typically either stand up their own infrastructure or use compromised resources.

In this case however, according to Jérôme Segura at Malwarebytes, the attackers are using a legitimate platform – which gives the exfiltrated data the benefit of blending in with normal traffic and being harder to detect, according to the researcher. Recent campaigns have shown data like name, address, credit-card number, expiry and CVV being relayed via an instant message sent to a private Telegram channel, Segura wrote, in a Tuesday blog.

Researchers reported that it has seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups, either via a common vulnerability or stolen credentials. If a compromise is successful, merchant websites are then injected with a web skimmer, which surreptitiously exfiltrates personal and banking information entered by customers during the online checkout process.

“The digital credit-card skimming landscape keeps evolving, often borrowing techniques used by other malware authors in order to avoid detection,” said Segura. “Telegram is a popular and legitimate instant messaging service that provides end-to-end encryption, [and] a number of cybercriminals abuse it for their daily communications but also for automated tasks found in malware.” He added, “The novelty [here] is the presence of the Telegram code to exfiltrate the stolen data.”

Technical Details

Security researcher @AffableKraut delved into a technical analysis of the Telegram-ready skimmer code late last week, noting that the skimmer has a hardcoded list of input-field names to look for on webpages. After identifying the fields of interest, it uses a “payer()” function to perform the data-exfiltration.

“It first grabs the data by calling getData and then verifies it has address details, trying to find them in another place if it hasn’t yet retrieved them,” he explained, via Twitter. “It then encrypts the data with the public key and runs some Base64-encoded code, which is the actual exfil code, and the interesting part in all of this. To post to Telegram using a bot, all you need is the bot token and a chat to post into.”

Segura added in his blog that the exfiltration is triggered only if the browser’s current URL contains a keyword indicative of being a shopping site and when the user validates the purchase.

“At this point, the browser will send the payment details to both the legitimate payment processor and the criminals,” he explained. “The fraudulent data exchange is done via the use of Telegram’s API and posts the payment details into a chat channel.”

The skimmer’s author also encoded the bot ID and channel as well as the Telegram API request with simple Base64 encoding, Segura said.

“For threat actors, this data exfiltration mechanism is efficient and doesn’t require for them to keep up infrastructure that could be taken down or blocked by defenders,” Segura explained. “They can even receive a notification in real time for each new victim, helping them to quickly monetize the stolen cards in underground markets.”

As for defense, @AffableKraut pointed out that, like many other digital-skimming and Magecart techniques, this approach can be preemptively defeated via a Content Security Policy (CSP). CSP is a web standard that’s meant to thwart certain types of attacks, including cross-site scripting (XSS) and data-injection attacks. CSP allows web admins to specify the domains that a browser should consider to be valid sources of executable scripts. A CSP-compatible browser will then only execute scripts loaded in source files received from those domains.

While CSP is the primary method used by website owners to prevent malicious shadow-code executions like card-skimmers, in this case configuring it it becomes a bit more complicated.

“Defending against this variant of a skimming attack is a little more tricky since it relies on a legitimate communication service,” Segura wrote. “One could obviously block all connections to Telegram at the network level, but attackers could easily switch to another provider or platform (as they have done it before) and still get away with it.”

Attackers have used Telegram to exfiltrate data before, though the mechanism remains a rarity. Last September, a freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” was found using Telegram bots as its C2 mechanism. Masad harvests information from Windows and Android users and also comes with a full cadre of other malicious capabilities, including the ability to steal cryptocurrency from victims’ wallets.

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles