Malware for creaming payment cards that focuses on 4 sites found on Heroku cloud platform

Malware for creaming payment cards that focuses on 4 sites found on Heroku cloud platform

Payment card skimmers have hit four online sellers with the help of Heroku, a cloud provider from Salesforce, has discovered a researcher.

Heroku is a cloud platform designed to make it easier for users to build, maintain and deliver online services. It appears that the service also makes it easier for crooks to use skimmers that target third-party sites. Jérôme Segura, threat information director at security provider Malwarebytes, said on Wednesday that he found a rash of skimmers on Heroku. The hackers behind the schedule have not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit card details. Heroku administrators have suspended the accounts and removed the skimmers within an hour of reporting, Segura told Ars.

This is not the first time that cloud services have been misused by payment card skimmers. In April, Malwarebytes documented similar abuse on Github. Two months later, the security provider reported that skimmers were hosted on Amazon S3 buckets. Abusing a cloud provider is sensible from the point of view of a crook. It is often free, saves the hassle of registering similar domain names and delivers first-class availability and bandwidth.

“We will probably continue to see skimmers abusing more cloud services because they are a cheap (even free) resource that they can throw away when they are finished using it,” Segura wrote in Wednesday’s post.

In an email, Segura documented four free Heroku accounts that host scripts targeted at four external sellers. They were:

  • stark-gorge-44782.herokuapp (.) com used against shopping site correcttoes (.) com
  • ancient-savannah-86049 (.) herokuapp (.) com / configration.js used against panafoto (.) com
  • pure-peak-91770 (.) herokuapp (.) com / intregration.js was used against alashancashmere (.) com
  • aqueous scrubland 51318 (.) herokuapp (.) com / configuration.js was used against amapur.) de

In addition to setting up the Heroku accounts and implementing the skimmer code and data collection systems, the scheme required the websites of the intended sellers to be compromised by means that are currently unknown (although some sites have unpaired web apps) had). Attackers then injected a single code line into the infected sites. The injected JavaScript, which was hosted on Heroku, would check the current page for the Base64-encoded string “Y2hlY2tvdXQ =” – which translates to “checkout”.

When the string was detected, the malicious JavaScript loaded an iframe that skimmed the data from the payment card and sent it, encoded in Base64 format, to the Heroku account. The skimmer caused by iframe contained an overlay on top of the legitimate payment form that looked identical to the real one. Below are three screenshots that show the schedule in action:

Enlarge / The exfiltration mechanism Enlarge / The used iframe.

The fake payment form.

Segura said internet searches suggest that the skimmers were hosted on Heroku for about a week. He was not the only one who noticed.

Another one at @heroku

hxxps: //stark-gorge-44782.herokuapp nl / integration.js (.). False form in an iframe. Data goes to hxxps: //stark-gorge-44782.herokuapp (.) Com / config.php? Id =

– Denis (@unmaskparasites) December 2, 2019

It is not easy for the average end user to detect skimmers like the one that Segura has documented. Once the map data has been filtered, users receive an error message instructing them to reload the page, but such errors often happen on legitimate sites that they are not a clear sign of fraud. And in any case, by the time the message appears, the card has already been compromised. More advanced users who want to know if they have been compromised can get logs or webcaches for the four Heroku links mentioned above.


Please enter your comment!
Please enter your name here