Digital Skimmers How crooks are spying on your online shopping

by Rommel Joven

What is a digital skimmer

Agenda

• Overview

• Stealthworker Malware

• Kinds of Digital skimmers

• Underground Market

Overview

Online shoppers Compromised store

Underground market Fraudulent transactions

1 2

3

4

5

monetization

• Exploiting a vulnerability in the website’s e-commerce platform

• Compromising third party tool/script used by the target

• Cross site scripting

• Obtaining administrative account by phishing email or brute force attack(e.g Stealthworker malware)

Compromising a site

Stealthworker Malware

• First seen February 2019

• Written in Golang

• Runs on Windows, Linux, and ARM

• Brute force attacks on e-commerce platforms and services

• Identify the target’s e-commerce platform

Stealthworker

Open Directory Stealthworker

New Folder

main_init()

Earliest version: v1.50 Latest version: v3.11

Function Purpose

*_check_* used to identify and verify the service that the target is running

on (e.g. Stealthworker_WorkerMagento_check_init)

*_brut_* used to perform the brute force attack on the target

(e.g. Stealthworker_WorkerJoomla_brut_init)

*_finder_* used to find a specific service or file on the target

(e.g. Stealthworker_Worker_FileFinder_init)

Stealthworker Functions

Network communication

/project/active magentoBrt;

bot

C2 server

/gw?worker=magentoBrt

*send targets for brute force

/storage *open directory*

• MagentoBrt

Brute force Job

worker

job

Targeted services and platforms Brute force workers Check workers

Bitrix24 bitrixBrt bitrixChk

cPanel cp_b cpanelChecker/cp_chk

Drupal drupalBrt drupalChk

FTP ftp_b ftpChk

Basic Authentication htpasswdBrt htpasswdChk

Joomla joomlaBrt joomlaChk

Magento magentoBrt magentoChk

MySQL mysql_b X

OpenCart OCartBrt OCartChk

PhpMyAdmin phpadmin/php_b phpadminChecker/php_chk

Portainer pbrt X

PostgreSQL postgres_b X

Qnap qnapBrt qnapChk

SSH ssh_b X

Synology synoB X

WHM whm_b whmChecker/whm_chk

Wordpress wpBrt wpChk

WooCommerce X Woo

Brute force and check worker

Monitoring

/project/active magentoBrt;

Controlled bot

C2 server

/gw?worker=magentoBrt

*send targets for brute force

/storage/ *open directory*

• 200+ samples

• 45 C2s

• 98M+ jobs

• 38M+ unique targeted hosts

• 23 different versions

Summary of findings

Top workers

Kinds of Digital Skimmers

• Server-side skimmer

– Undetectable if you don’t have access to the server

– Written in php

• Client-side skimmer

– Injected malicious script in the website

– Written in JavaScript

Kinds of digital skimmers

• lib/Varien/Autoload.php

Server-side skimmer

source: Sucuri

Client-side skimmer

Client-side skimmer

Client-side skimmer

Client-side skimmer

Client-side skimmer

Underground Market

Underground Market

Underground Market

Underground Market

@gwillem

@ydklijnsma

@jeromesegura

@unmaskparasites

@jspchc

Special thanks to:

@rommeljoven17

rjoven@fortinet.com

ありがとうございました