Shopping Site Skimmers
Skimming for gold
On 10 April 2019, Netcraft discovered that Cleor’s website was infected with malicious skimming code.
The malicious code is served from an external domain,
cleor.co. This is injected into the website alongside a legitimate Facebook tracking script. The similarity of the domain to the real
cleor.com makes it easy to mistake as benign.
The skimming code on
hxxps://cleor[.]co/api.js has been obfuscated by its author in an attempt to disguise its purpose. This is a common tactic of criminals. When deobfuscated, its malicious intent is made clear:
The code contains references to credit card input fields, which are used to extract sensitive information entered into the checkout form by visitors to Cleor’s site. This data is sent to
hxxps://cleor[.]co/track.js, which is also visible in the deobfuscated code.
We confirmed this by doing a test checkout on the site. Once the credit card details were filled in as part of the checkout process, a POST request is sent to
hxxps://cleor[.]co/track.js. The data sent to the dropsite is Base64-encoded, decoding it reveals a JSON array containing all of the credentials entered into the form.
Even customers who did not complete their purchase may have been affected, as the credentials are skimmed immediately after they are entered rather than when the checkout form is submitted.
Netcraft alerted Cleor of the incident, and the skimmer injection code has since been removed.
In this attack, a single site,
cleor.co, is used to both serve malicious code and receive the stolen credentials. The domain was purpose-registered for this attack, a trait shared with the British Airways skimmer, which makes it easy to mistake the code as benign.
cleor.co was registered with Namecheap on 10 January this year, suggesting the attack may have been carefully planned before deployment or been active for some time.
The criminals responsible for this attack are also plausibly behind at least one other more wide-spread attack from a domain registered just one day later, also with Namecheap,
ajaxstatic.com. Both of these attacks are hosted by Ankas-group, the only Moldovan-hosted sources of skimming code identified by Netcraft.
ajaxstatic.com is currently hosting at least 27 distinct skimmers which target a range of payment gateways including Authorize.net, Verisign, Stripe and Braintree.
Prevention and protection
Subresource Integrity (SRI) instructs web browsers to perform integrity checks of third-party resources, which can prevent the browser from loading any resources that have been tampered with. CSP can be used to ensure that all resources loaded on a page use SRI.