MEITY
Cyber Swachhta Kendra

Credit card Skimmer targets Microsoft ASP.NET sites

Original Issue Date:- July 16, 2020
Alert Type:-Current Activity
Severity:- Medium

It has been reported that Credit card skimming through various e-commerce sites are spreading worldwide. Attackers are typically targeting e-commerce sites because of their wide presence, popularity and the environment LAMP (Linux, Apache, MySQL, and PHP). Recently, attackers targeted sites, which were hosted on Microsoft's IIS server running with the ASP.NET web application framework.

It is reported that Sports organizations, health, e-commerce websites etc. are mostly affected by this attack and identified running with ASP.NET version 4.0.30319, which is no longer officially supported by Microsoft and may contains multiple known/unknown vulnerabilities.

In this attack, attackers remotely appended and obfuscated malicious code into one of their legitimate JavaScript libraries or injected full skimming code directly into the compromised JavaScript library. Skimmer designed to exfiltrate the credit card numbers as well as passwords.

IOC:

Regex to find ASP.NET skimmer injections:

(jquery\w+\|\|undefined;jquery\w+={1,5}undefined&&)|(!window\.jqv\w+&&\(jqv\w+=function\(a\)\{return)

Skimmer hosting site:

  • idpcdn-cloud[.]com
  • joblly[.]com
  • hixrq[.]net
  • cdn-xhr[.]com
  • rackxhr[.]com
  • thxrq[.]com
  • hivnd[.]net
  • 31[.]220[.]60[.]108

Best practices:

  • Use latest version of ASP.NET web framework, IIS Web server and Database Server.
  • Apply appropriate updates/patches on the OS and Application software as and when available through OEM.
  • Restrict/Deny all access by default and only allow absolutely necessary accesses.
  • Conduct complete security audit of web application, web server, database server periodically and after every major configuration change and plug vulnerabilities found.
  • Apply Security Information and Event Management (SIEM) and/or Database Activity Monitoring (DAM) solutions.
  • Search all the websites hosted on the web server or sharing the same DB server for the malicious webshells or any other artefact.
  • Periodically check the web server directories for any malicious/unknown web shell files and remove as and when noticed.

References:

Disclaimer :- The information provided herein is on "as is" basis, without warranty of any kind.