For more than a year, a financially motivated campaign has targeted online payment companies in Asia Pacific, North America and Latin America with web skimmers.
BlackBerry’s research and intelligence team is tracking activity under the name Silent skimmer, attributing it to an actor who knows the Chinese language. Notable victims include online businesses and point-of-sale (PoS) service providers.
“Campaign operators exploit vulnerabilities in web applications, particularly those hosted on Internet Information Services (IIS),” the Canadian cybersecurity firm said. “Their main goal is to compromise the payment page and steal visitors’ sensitive payment data.”
To a successful initial foothold, threat actors leverage multiple open source tools and life-of-the-land (LotL) techniques for privilege escalation, post-exploitation, and code execution.
The attack chain leads to the deployment of a PowerShell-based remote access trojan (server.ps1) that allows remote control of the host, which in turn connects to a remote server that hosts additional utilities, including download scripts, reverse proxy servers and Cobalt Attack Beacons.
The ultimate goal of the intrusion, according to BlackBerry, is to infiltrate the web server and place a scraper on the payment service via a web shell and stealthily capture financial information entered by victims on the page.
An examination of the adversary’s infrastructure reveals that virtual private servers (VPS) used for command and control (C2) are chosen based on the geolocation of victims in an effort to evade detection.
The diversity of industries and regions attacked, along with the type of servers attacked, points to an opportunistic campaign rather than a deliberate approach.
“The attacker predominantly focuses on regional websites that collect payment data, exploiting vulnerabilities in commonly used technologies to gain unauthorized access and retrieve sensitive payment information entered or stored on the site,” BlackBerry said.
The revelation comes as Sophos revealed details of a pig slaughter scam in which potential targets are lured into investing in fake cryptocurrency investment schemes after being contacted on dating apps such as MeetMe, netting the actors millions in illicit profits.
What sets the latest operation apart is the use of liquidity mining lures, which promise users regular income with high rates of return for investing in a liquidity pool, where virtual assets are parked to facilitate operations on exchanges. decentralized.
“These scams do not require malware on the target’s device, nor any ‘hacking’ of any kind other than fraudulent websites and social engineering, convincing targets to connect their wallet to an Ethereum smart contract that gives them scammers permission to empty your wallet,” said security researcher Sean Gallagher.