Hackers Hide Web Skimmer Inside A Website’s CSS Files

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.

Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows.

The latest of these odd places is, believe it or not, CSS files.

Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page’s elements with the help of the CSS language.

These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.

Web skimmer gang experiments with CSS

However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript.

One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule.

Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.

De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.

“It was […] a fairly standard keystroke logger,” de Groot told ZDNet when we asked him to describe the code he found today.

“It seems to have been taken offline in the last hour, since our tweet,” he added.

“We found a handful of victim stores with this injection method,” the SanSec founder also told ZDNet.

“However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”

Most skimmers are invisible

But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.

“While most research concerns JavaScript skimming attacks, the majority of skimming happens on the server, where it is completely invisible,” de Groot said.

“About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process.”

As ZDNet explained in a piece on Monday about another of SanSec’s findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.

Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires.

READ MORE HERE