A financially motivated campaign has been targeting online payment businesses in Asia Pacific, North America and Latin America with web skimmers for more than a year.
The BlackBerry Research and Intelligence team is tracking this activity under the name Silent Skimmer and is attributing it to an actor who is fluent in Chinese. Major victims include online businesses and point-of-sale (POS) service providers.
“Campaign operators exploit vulnerabilities in web applications, particularly those hosted on Internet Information Services (IIS),” the Canadian cybersecurity firm said. “Their primary objective is to compromise the payment checkout page and swipe visitors’ sensitive payment data.”
After a successful initial foothold, many open-source tools and living-off-the-land (LOtL) techniques are leveraged by threat actors for privilege escalation, post-exploitation, and code execution.
The attack chain leads to the deployment of a PowerShell-based remote access trojan (server.ps1) that allows for remotely controlling the host, which, in turn, connects to a remote server that hosts additional utilities, including downloading scripts, reverse proxies and Cobalt Strike beacons.
According to BlackBerry, the ultimate goal of the intrusion is to infiltrate a web server and drop a scraper into a payment checkout service through a web shell and covertly capture financial information entered by victims on the page.
Investigation of the adversary’s infrastructure reveals that virtual private servers (VPS) used for command-and-control (C2) are selected based on the geographic location of victims in an effort to avoid detection.
The diversity of industries and sectors targeted, as well as the types of servers breached, point to an opportunistic campaign rather than a deliberate approach.
BlackBerry said, “The attacker focused primarily on regional websites that collect payment data, exploiting vulnerabilities in commonly used technologies to gain unauthorized access and obtain sensitive payment information entered or stored on the site.”
The revelations come as Sophos revealed details of a pig butchering scam in which potential targets were lured into investing in fraudulent cryptocurrency investment schemes after being contacted on dating apps like MeetMe, netting the actors millions in illegal profits.
What distinguishes the latest operation is the use of liquidity mining lures, which promise users regular income at high rates for investments in liquidity pools, where virtual assets are held to facilitate trading on decentralized exchanges.
“These scams require no malware on the target’s device, and no ‘hacking’ of any sort other than fraudulent websites and social engineering — convincing targets to connect their wallet to an Ethereum smart contract that gives the scammers permission to empty the wallet,” security researcher Sean Gallagher said.