News

Microsoft Warns of Evolving Web Skimming Techniques

• By Chris Paoli
• 05/25/2022

The Microsoft 365 Defender Research Team is warning that Web skimming attacks are becoming more sophisticated and are able to hide malicious scripts from traditional security defenses.

The team shared a report on Monday disclosing how attackers are leveraging specially crafted images or malicious JavaScript code that mimics Google Analytics and Meta Pixel scripts in their skimming attempts.

Web skimming is a technique where, traditionally, attackers load malicious JavaScript strings on a Web site, either legitimate or specially crafted by the attackers, to grab inputted user information and credentials. However, Microsoft said the new technique that use images containing malicious code demonstrates that security solutions must also evolve to counter the threat. Here's one attack Microsoft observed:

In one of the campaigns we've observed, attackers obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded inside an image file -- a likely attempt to leverage PHP calls when a website's index page is loaded. Recently, we've also seen compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts even had anti-debugging mechanisms, in that they first checked if the browser's developer tools were open.

According to the report, Microsoft started observing the malicious code embedded in an image technique in November 2021 and said that in many cases, not only was the skimming code embedded, but many times remote access trojans (RATs) also were included to directly inject the skimming code server-side, which enables browser protections like Content Security Policy to be completely bypassed.

As for the other type of skimming technique -- those using malicious codes mimicking Google or Meta pixels -- Microsoft said it also started noticing this new technique at the end of 2021. While the attacks all pointed to domains used by a budget hosting provider, the actual sites were hidden behind Cloudflare infrastructure, obscuring it from security measures. Spotting these becomes increasingly difficult when security software doesn't flag them and the code itself appears with spoofed Google and Meta tags, making them difficult for admins and developers to spot.

To protect against Web skimming attacks, organizations should keep an eye out for suspicious-looking JavaScript code and make sure what security services they have are up to date. "Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources," reads the report. "They must also perform a regular and thorough check of their web assets for any compromised or suspicious content."

The report also used the opportunity to tout the additional protection organizations can get against Web skimming with Microsoft 365 Defender. Microsoft said its cloud-based security solution coordinates threat defense across many domains, which detects and blocks skimming scripts on endpoints and servers. Its detection capabilities are also backed by security researchers that actively monitor the attack landscape to help update Microsoft 365 Defender with the latest deterrents.