Skip to content

New web skimmer steals credit card data, sends to crooks via Telegram

The digital credit card skimming landscape keeps evolving, often borrowing techniques used by other malware authors in order to avoid detection.

As defenders, we look for any kind of artifacts and malicious infrastructure that we might be able to identify to protect our users and alert affected merchants. These malicious artifacts can range from compromised stores to malicious JavaScript, domains, and IP addresses used to host a skimmer and exfiltrate data.

One such artifact is a so-called “gate,” which is typically a domain or IP address where stolen customer data is being sent and collected by cyber-criminals. Typically, we see threat actors either stand up their own gate infrastructure or use compromised resources.

However, there are variations that involve abusing legitimate programs and services, thereby blending in with normal traffic. In this blog, we take a look at the latest web skimming trick, which consists of sending stolen credit card data via the popular instant messaging platform Telegram.

An otherwise normal shopping experience

We are seeing a large number of e-commerce sites attacked either through a common vulnerability or stolen credentials. Unaware shoppers may visit a merchant that has been compromised with a web skimmer and make a purchase while unknowingly handing over their credit card data to criminals.

Skimmers insert themselves seamlessly within the shopping experience and only those with a keen eye for detail or who are armed with the proper network tools may notice something’s not right.

Figure 1: Credit card skimmer using Telegram bot

The skimmer will become active on the payment page and surreptitiously exfiltrate the personal and banking information entered by the customer. In simple terms, things like name, address, credit card number, expiry, and CVV will be leaked via an instant message sent to a private Telegram channel.

Telegram-based skimmer

Telegram is a popular and legitimate instant messaging service that provides end-to-end encryption. A number of cybercriminals abuse it for their daily communications but also for automated tasks found in malware.

Attackers have used Telegram to exfiltrate data before, for example via traditional Trojan horses, such as the Masad stealer. However, security researcher @AffableKraut shared the first publicly documented instance of a credit card skimmer used in Telegram in a Twitter thread.

The skimmer code keeps with tradition in that it checks for the usual web debuggers to prevent being analyzed. It also looks for fields of interest, such as billing, payment, credit card number, expiration, and CVV.

Figure 2: First part of the skimmer code

The novelty is the presence of the Telegram code to exfiltrate the stolen data. The skimmer’s author encoded the bot ID and channel, as well as the Telegram API request with simple Base64 encoding to keep it away from prying eyes.

Figure 3: Skimming code containing Telegram’s API

The exfiltration is triggered only if the browser’s current URL contains a keyword indicative of a shopping site and when the user validates the purchase. At this point, the browser will send the payment details to both the legitimate payment processor and the cybercriminals.

Figure 4: A purchase where credit card data is stolen and exfiltrated

The fraudulent data exchange is conducted via Telegram’s API, which posts payment details into a chat channel. That data was previously encrypted to make identification more difficult.

For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders. They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets.

Challenges with network protection

Defending against this variant of a skimming attack is a little more tricky since it relies on a legitimate communication service. One could obviously block all connections to Telegram at the network level, but attackers could easily switch to another provider or platform (as they have done before) and still get away with it.

Malwarebytes Browser Guard will identify and block this specific skimming attack without disabling or interfering with the use of Telegram or its API. So far we have only identified a couple of online stores that have been compromised with this variant, but there are likely several more.

Figure 5: Malwarebytes blocking this skimming attack

As always, we need to adapt our tools and methodologies to keep up with financially-motivated attacks targeting e-commerce platforms. Online merchants also play a huge role in derailing this criminal enterprise and preserving the trust of their customer base. By being proactive and vigilant, security researchers and e-commerce vendors can work together to defeat cyber-criminals standing in the way of legitimate business.

See Pricing

Leave a Comment