Fwd: Current Activity : Credit Card Skimmer Targets Microsoft ASP.NET Sites

Current Activity 

Credit Card Skimmer Targets Microsoft ASP.NET Sites

It has been reported that Credit card skimming through various e-commerce

sites are spreading worldwide. Attackers are typically targeting e-commerce

sites because of their wide presence, popularity and the environment LAMP

(Linux, Apache, MySQL, and PHP). Recently, attackers targeted sites, which

were hosted on Microsoft's IIS server running with the ASP.NET web

application framework.

It is reported that Sports organizations, health, e-commerce websites etc.

are mostly affected by this attack and identified running with ASP.NET

version 4.0.30319, which is no longer officially supported by Microsoft and

may contains multiple known/unknown vulnerabilities.

In this attack, attackers remotely appended and obfuscated malicious code

into one of their legitimate JavaScript libraries or injected full skimming

code directly into the compromised JavaScript library. Skimmer designed to

exfiltrate the credit card numbers as well as passwords.

IOC:

Regex to find ASP.NET skimmer injections:

(jquery\w+\|\|undefined;jquery\w+={1,5}undefined&&)|(!window\.jqv\w+&&\(jqv

\w+=function\(a\)\{return)

Skimmer hosting site:

idpcdn-cloud[.]com

joblly[.]com

hixrq[.]net

cdn-xhr[.]com

rackxhr[.]com

thxrq[.]com

hivnd[.]net

31[.]220[.]60[.]108

Best practices:

Use latest version of ASP.NET web framework, IIS Web server and Database

Server.

Apply appropriate updates/patches on the OS and Application software as and

when available through OEM.

Restrict/Deny all access by default and only allow absolutely necessary

accesses.

Conduct complete security audit of web application, web server, database

server periodically and after every major configuration change and plug

vulnerabilities found.

Apply Security Information and Event Management (SIEM) and/or Database

Activity Monitoring (DAM) solutions.

Search all the websites hosted on the web server or sharing the same DB

server for the malicious webshells or any other artefact.

Periodically check the web server directories for any malicious/unknown web

shell files and remove as and when noticed.

References:

argets-asp-net-sites/