Payment card skimmers have hit four online sellers with the help of Heroku, a cloud provider from Salesforce, has discovered a researcher.
Heroku is a cloud platform designed to make it easier for users to build, maintain and deliver online services. It appears that the service also makes it easier for crooks to use skimmers that target third-party sites. Jérôme Segura, threat information director at security provider Malwarebytes, said on Wednesday that he found a rash of skimmers on Heroku. The hackers behind the schedule have not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit card details. Heroku administrators have suspended the accounts and removed the skimmers within an hour of reporting, Segura told Ars.
This is not the first time that cloud services have been misused by payment card skimmers. In April, Malwarebytes documented similar abuse on Github. Two months later, the security provider reported that skimmers were hosted on Amazon S3 buckets. Abusing a cloud provider is sensible from the point of view of a crook. It is often free, saves the hassle of registering similar domain names and delivers first-class availability and bandwidth.
“We will probably continue to see skimmers abusing more cloud services because they are a cheap (even free) resource that they can throw away when they are finished using it,” Segura wrote in Wednesday’s post.
In an email, Segura documented four free Heroku accounts that host scripts targeted at four external sellers. They were:
- stark-gorge-44782.herokuapp (.) com used against shopping site correcttoes (.) com
- ancient-savannah-86049 (.) herokuapp (.) com / configration.js used against panafoto (.) com
- pure-peak-91770 (.) herokuapp (.) com / intregration.js was used against alashancashmere (.) com
- aqueous scrubland 51318 (.) herokuapp (.) com / configuration.js was used against amapur.) de
Enlarge / The exfiltration mechanism Enlarge / The used iframe.
The fake payment form.
Segura said internet searches suggest that the skimmers were hosted on Heroku for about a week. He was not the only one who noticed.
Another one at @heroku
hxxps: //stark-gorge-44782.herokuapp nl / integration.js (.). False form in an iframe. Data goes to hxxps: //stark-gorge-44782.herokuapp (.) Com / config.php? Id = pic.twitter.com/Xa1F2z1Z1a
– Denis (@unmaskparasites) December 2, 2019
It is not easy for the average end user to detect skimmers like the one that Segura has documented. Once the map data has been filtered, users receive an error message instructing them to reload the page, but such errors often happen on legitimate sites that they are not a clear sign of fraud. And in any case, by the time the message appears, the card has already been compromised. More advanced users who want to know if they have been compromised can get logs or webcaches for the four Heroku links mentioned above.