Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server


#1

Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server (Feb 26, 2020)

Threat actors are using content delivery network (CDN) look-alike domains and ngrok to avoid detection of their credit card skimmers, according to researchers at Malwarebytes Labs. The skimmers were made to look like common JavaScript libraries served from a CDN. When the visitor of the site browse to the checkout page, the skimmers grabs all the form data and sends it off to the exfiltration server. In this campaign, the exfiltration server was hosted via ngrok. Ngrok is a service for exposing servers behind network address translation (NAT) and firewalls to the public internet.

Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.