Attackers take over expired domain to deliver web skimming scripts

2022-12-06 14:57

Attackers have taken over at least one expired domain that used to host a popular JavaScript library and used it to deliver web skimming scripts to a number of e-commerce sites.

"The victim websites had years to remove the dead link that was leveraged by attackers but didn't - likely due to a lack of visibility about third-party scripts running on their websites and poor security hygiene," Jscrambler researchers noted.

The original JavaScript library was called Cockpit and it was replaced with a malicious web skimming script.

Jscrambler researchers told Help Net Security that the attackers made no attempt to make it look like the original script or disguise it in any other way.

Depending on the referrer header value, which indentifies the webpage from where it is fetched, the domain would serve either no script, a default skimmer, or a specific skimmer.

"By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce websites. Data collected from the sites was encoded, encrypted and then sent to an exfiltration server based in Russia," the researchers found.

News URL

https://www.helpnetsecurity.com/2022/12/06/expired-domain-web-skimming/

#WEB