Credit Card Skimmer Targets Microsoft ASP.NET Sites
It has been reported that Credit card skimming through various e-commerce
sites are spreading worldwide. Attackers are typically targeting e-commerce
sites because of their wide presence, popularity and the environment LAMP
(Linux, Apache, MySQL, and PHP). Recently, attackers targeted sites, which
were hosted on Microsoft's IIS server running with the ASP.NET web
It is reported that Sports organizations, health, e-commerce websites etc.
are mostly affected by this attack and identified running with ASP.NET
version 4.0.30319, which is no longer officially supported by Microsoft and
may contains multiple known/unknown vulnerabilities.
In this attack, attackers remotely appended and obfuscated malicious code
exfiltrate the credit card numbers as well as passwords.
Regex to find ASP.NET skimmer injections:
Skimmer hosting site:
Use latest version of ASP.NET web framework, IIS Web server and Database
Apply appropriate updates/patches on the OS and Application software as and
when available through OEM.
Restrict/Deny all access by default and only allow absolutely necessary
Conduct complete security audit of web application, web server, database
server periodically and after every major configuration change and plug
Apply Security Information and Event Management (SIEM) and/or Database
Activity Monitoring (DAM) solutions.
Search all the websites hosted on the web server or sharing the same DB
server for the malicious webshells or any other artefact.
Periodically check the web server directories for any malicious/unknown web
shell files and remove as and when noticed.