Credit card skimming on the rise for the holiday shopping season
(Posted: November 14, 2023 by Jérôme Segura at Malwarebytes website)
As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft.
One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything.
When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.
One particular skimming campaign we have been following picked up the pace drastically in October after a lull during the summer. With hundreds of stores compromised, you may come across it if you shop online on a regular basis.
The Kritec campaign
We first discovered this credit card skimming operation back in March 2023, as it stood out from the rest due to its large volume. The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages.
The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.
Threat actors ramp up their activity just in time for the holiday season
In April this skimming campaign reached a peak and then slowed down during the summer. However it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.
The infrastructure is located on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.
How to shop safely online
If you are shopping online, and especially via smaller merchants (i.e. not Amazon, Walmart, etc), you absolutely need to be extra careful. Unless you are able to perform a full website audit yourself, you simply can’t be sure that the platform hasn’t been compromised.
Having said that, if the website looks like it hasn’t been maintained in a while (for example it is displaying outdated information, such as ”Copyright 2018′), poor grammar, or blurry icons you probably should stay away from it. Most compromises happen because a website’s content management system (CMS) and its plugins are outdated and vulnerable. If it “feels” funny use caution. Try to go directly to the website instead of clicking a link to it.
There are tools that can also detect malicious code embedded into websites. Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses. But because threat actors are constantly swapping their infrastructure, it is also a good idea to have some kind of heuristic detection for things like malicious JavaScript snippets.
We are also publishing a list of the infrastructure that includes domains we had previously not seen but obtained via retrohunting, so that those can be included in community blocklists ingested by third-party products.
Kritec domains (a small sample of the many domains)
oumymob[.]shop
nujtec[.]shop
lavutele[.]yachts
tochdigital[.]pics
gemdigit[.]pics
vuroselec[.]quest
bereelec[.]quest
psyhomob[.]sbs
antohub[.]shop
Malwarebytes Premium offers web protection and is complemented by the Malwarebytes Browser Guard extension for more advanced in-browser detection. I use Malwarebytes personally and am not compensated for this article.