viralamo

Menu
  • Technology
  • Science
  • Money
  • Culturs
  • Trending
  • Video

Subscribe To Our Website To Receive The Last Stories

Join Us Now For Free
Home
Technology
Payment card-skimming malware targeting 4 sites found on Heroku cloud platform
Technology

Payment card-skimming malware targeting 4 sites found on Heroku cloud platform

04/12/2019

Payment card-skimming malware targeting 4 sites found on Heroku cloud platform

Payment card skimmers have hit four online merchants with help from Heroku, a cloud provider owned by Salesforce, a researcher has found.

Heroku is a cloud platform designed to make things easier for users to build, maintain, and deliver online services. It turns out the service also makes things easier for crooks to run skimmers that target third-party sites. On Wednesday, Jérôme Segura, director of threat intelligence at security provider Malwarebytes, said he found a rash of skimmers hosted on Heroku. The hackers behind the scheme not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit-card data. Heroku administrators suspended the accounts and removed the skimmers within an hour of being notified, Segura told Ars.

This is not the first time cloud services have been abused by payment card skimmers. In April, Malwarebytes documented similar abuse on Github. Two months later, the security provider reported skimmers hosted on Amazon S3 buckets. Abusing a cloud provider makes good sense from a crook’s point of view. It’s often free, saves the hassle of registering look-alike domain names, and delivers top-notch availability and bandwidth.

“We will likely continue to observe Web skimmers abusing more cloud services as they are a cheap (even free) commodity they can discard when finished using it,” Segura wrote in Wednesday’s post.

In an email, Segura documented four free Heroku accounts hosting scripts that targeted four third-party merchants. They were:

  • stark-gorge-44782.herokuapp[.]com used against shopping site correcttoes[.]com
  • ancient-savannah-86049[.]herokuapp[.]com/configration.js used against panafoto[.]com
  • pure-peak-91770[.]herokuapp[.]com/intregration.js was used against alashancashmere[.]com
  • aqueous-scrubland-51318[.]herokuapp[.]com/configuration.js was used against amapur.]de

Besides setting up the Heroku accounts and deploying the skimmer code and data-collection systems, the scheme required compromising the websites of the targeted merchants through means that are currently unknown (although some of the sites were running unpatched Web apps). Attackers then injected a single line of code into the compromised sites. The injected JavaScript, which was hosted on Heroku, would monitor the current page for the Base64-encoded string “Y2hlY2tvdXQ=”—which translates to “checkout.”

When the string was detected, the malicious JavaScript loaded an iframe that skimmed the payment-card data and sent it, encoded in Base64 format, to the Heroku account. The iframe-induced skimmer included an overlay on top of the legitimate payment form that looked identical to the real one. Below are three screenshots that show the scheme in action:

The exfiltration mechanism
Enlarge / The exfiltration mechanism
The iframe used.
Enlarge / The iframe used.
The fake payment form.

The fake payment form.

Segura said that Web searches suggest that the skimmers were hosted on Heroku for about a week. He wasn’t the only one to notice them.

Another one on @heroku

hxxps://stark-gorge-44782.herokuapp[.]com/integration.js. Fake form in an iframe. Data goes to hxxps://stark-gorge-44782.herokuapp[.]com/config.php?id= pic.twitter.com/Xa1F2z1Z1a

— Denis (@unmaskparasites) December 2, 2019

It’s not easy for the average end user to detect skimmers like the ones Segura has documented. Once the card data is exfiltrated, users will receive an error message instructing them to reload the page, but these types of errors happen often enough on legitimate sites that they wouldn’t be an obvious sign of fraud. And in any event, by the time the message appears, the card has already been compromised. More advanced users who want to know if they were compromised can get logs or Web caches for the four Heroku links listed above.

Source link

Share
Tweet
Pinterest
Linkedin
Stumble
Google+
Email
Prev Article
Next Article

Related Articles

Indian B2B food tech startup HungerBox raises $12M from Paytm and others – TechCrunch
HungerBox, an Indian food tech startup that has courted 10 …

Indian B2B food tech startup HungerBox raises $12M from Paytm and others – TechCrunch

Lora DiCarlo starts presales for once-banned Osé sex toy
Lora DiCarlo, the sex tech startup behind an awards controversy …

Lora DiCarlo starts presales for once-banned Osé sex toy

Leave a Reply Cancel reply

Find us on Facebook

Related Posts

  • 2020 will be a big year for online childcare — here are 7 startups to watch
    RocketLab tests new hyperCurie engine that will …
    13/05/2020
  • Beat Saber is now an Oculus studio after Facebook acquisition
    AI chatbot maker Babylon Health attacks clinician …
    26/02/2020
  • PlayStation 5 gets Godfall looter-slasher from Gearbox Publishing
    Can API vendors solve healthcare’s data woes?
    29/04/2020
  • Boeing Starliner crew capsule and Atlas V rocket complete dress rehearsal ahead of test flight – TechCrunch
    Boeing Starliner crew capsule and Atlas V …
    06/12/2019
  • Beat Saber is now an Oculus studio after Facebook acquisition
    Mark Cuban: ‘Raising money isn’t an accomplishment, …
    01/05/2020

Popular Posts

  • 10 Real Historical Events That Inspired ‘Game …
    22/05/2022 0
  • 10 Child Prodigies You’ve Probably Never Heard …
    24/04/2022 0
  • Top 10 Most Singular Encounters with Unidentified …
    24/04/2022 0
  • 10 Creepy Apocalyptical Predictions – Listverse
    25/04/2022 0
  • 10 Meetings That Shaped History – Listverse
    25/04/2022 0

viralamo

Pages

  • Contact Us
  • Privacy Policy
Copyright © 2022 viralamo
Theme by MyThemeShop.com

Ad Blocker Detected

Our website is made possible by displaying online advertisements to our visitors. Please consider supporting us by disabling your ad blocker.

Refresh