Payment Card-Skimming Campaign Expands to North America

September 18, 2023

A threat actor fluent in Chinese, who has been skimming credit card details from ecommerce sites and point-of-sale service providers in the Asia/Pacific region for over a year, has started targeting similar entities in North and Latin America. This adversary has been exploiting vulnerabilities in web applications to gain access to various sites, particularly focusing on payment pages where they drop malware to steal card numbers.

BlackBerry researchers have identified this campaign as 'Silent Skimmer,' describing it as technically complex and likely involving an advanced or experienced threat actor. Card-skimming attacks are not new; hacking groups collectively known as Magecart have been stealing payment card data from hundreds of millions of online shoppers globally for years.

These threat actors often target vulnerabilities in third-party software components and plugins, injecting card-skimming code into them. Silent Skimmer's operator has been exploiting vulnerabilities in web-facing applications for initial access to websites. Many of the targeted sites were hosted on Microsoft's Internet Information Services (IIS) Web server software.

The threat actor has exploited a critical remote code execution bug, CVE-2019-18935, in Telerik UI, a suite of components and web development tools from Progress Software. This bug has been previously used by China's Hafnium group and Vietnam's XE Group. If the targeted web service has write permissions enabled, the exploit uploads a malicious dynamic link library (DLL) to a specific directory, initiating a sequence of steps that leads to the installation of malware for skimming credit and debit card data on the website.

BlackBerry researchers have noted the threat actor using multiple separate tools for privilege escalation, along with a remote access tool, a remote code execution exploit, a malware stager/downloader, and a tool for post-exploit activities. The operator of Silent Skimmer has also relied on a variety of legitimate open source tools, binaries, and scripts in many of its attacks.

The threat actor behind Silent Skimmer has demonstrated technical skill by adjusting its command-and-control (C2) infrastructure based on the geolocation of its victims. The threat actor has used virtual private servers (VPS), often on Microsoft's Azure platform, as C2 servers for new targets. Each C2 server is usually online for less than a week and is typically located in the same region or country as the victim, ensuring that traffic to and from the compromised servers blends in with normal traffic.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.