Cyber Attacks

Credit card data smuggled using private Telegram channel


The cybercriminals attacking online stores have adopted a new tactic of using the Telegram messaging app to send stolen payment details from compromised websites back to the attackers.

The new method was discovered by Affable Kraut using data from Dutch cybersecurity firm Sansec, a company specialized in fighting digital skimming. The researcher analyzed the malicious JavaScript, which includes common anti-analysis protections.

Kraut explained in a Twitter thread about the working of the script, noting that it collects data from any type of input field and sends it to a Telegram channel.

Magecart hackers who target online shopping cart systems usually inject e-skimmers on shopping websites by exploiting a known vulnerability or stolen credentials to steal credit card details.

These virtual credit card skimmers, also known as formjacking attacks, are JavaScript code that the operators secretly insert into an e-commerce website, usually on payment pages, in order to capture customers’ card details in real-time and transfer it to a remote attacker-controlled server.

Recently they have stepped up in their efforts to hide card stealer code inside image metadata and even carry out IDN homograph attacks to plant web skimmers concealed within a website’s favicon file.

However, the method of exfiltrating the data such as name, address, credit card number, expiry, and CVV this time, is interestingly new as it is done via an instant message sent to a private Telegram channel using an encoded bot ID in the skimmer code.

The information is encrypted using a public key and a Telegram bot posts the stolen data in a chat as a message.

The advantage of using Telegram is that threat actors do not have to set up a separate command-and-control infrastructure to transmit the collected information or risk facing the possibility of those domains being taken down or blocked by anti-malware services.

Jérôme Segura, Director of Threat Intelligence at Malwarebytes who also analyzed this script stated that defending against this type of skimming attack is a little trickier since it depends on a legitimate communication service. One could block all connections to Telegram at the network level, but it is easy for the attackers to switch to another provider or platform and still get away with it.

Segura says that Malwarebytes has identified few online stores infected with this variant of payment card skimmer. However, the researcher states that there might be even more that have been infected.


Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Cyber-attack on Norwegian Parliament

    Previous article

    India bans 118 apps including PUBG, Baidu, AliPay

    Next article

    You may also like


    Leave a reply

    Your email address will not be published. Required fields are marked *