Security researchers recently detected online skimming campaign that employed numerous obfuscation techniques to escape detection. The threat actors disguised the skimming script by encoding it in PHP, which was then placed in an image file; as a result, the code is executed when a website’s index page is loaded.
Web skimming refer to the illegal practice of gathering financial information from website users during the checkout process. Crooks insert the skimming script into the e-store page by exploiting vulnerabilities in e-commerce platforms and CMSs. In rare circumstances, attackers can inject malicious scripts by exploiting vulnerabilities in installed third-party plugins and themes.
Attackers was also seen masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.
Inside a faked Google Tag Manager code, the attackers include a Base64-encoded text. Trafficapps[.]business/data[.]php?p=form was encoded from this string.
Experts discovered that the perpetrators behind the Meta Pixel spoofing employed recently registered domains (NRDs) using HTTPS.
They also include,
Organizations should verify that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security updates, and that they only download and utilise third-party plugins and services from reputable sources, given the increasingly deceptive strategies used in skimming schemes.