Malware for creaming payment cards that focuses on 4 sites found on Heroku cloud platform

Payment card skimmers have hit four online sellers with the help of Heroku, a cloud provider from Salesforce, has discovered a researcher.

Heroku is a cloud platform designed to make it easier for users to build, maintain and deliver online services. It appears that the service also makes it easier for crooks to use skimmers that target third-party sites. Jérôme Segura, threat information director at security provider Malwarebytes, said on Wednesday that he found a rash of skimmers on Heroku. The hackers behind the schedule have not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit card details. Heroku administrators have suspended the accounts and removed the skimmers within an hour of reporting, Segura told Ars.

This is not the first time that cloud services have been misused by payment card skimmers. In April, Malwarebytes documented similar abuse on Github. Two months later, the security provider reported that skimmers were hosted on Amazon S3 buckets. Abusing a cloud provider is sensible from the point of view of a crook. It is often free, saves the hassle of registering similar domain names and delivers first-class availability and bandwidth.

“We will probably continue to see skimmers abusing more cloud services because they are a cheap (even free) resource that they can throw away when they are finished using it,” Segura wrote in Wednesday’s post.

In an email, Segura documented four free Heroku accounts that host scripts targeted at four external sellers. They were:

  • stark-gorge-44782.herokuapp (.) com used against shopping site correcttoes (.) com
  • ancient-savannah-86049 (.) herokuapp (.) com / configration.js used against panafoto (.) com
  • pure-peak-91770 (.) herokuapp (.) com / intregration.js was used against alashancashmere (.) com
  • aqueous scrubland 51318 (.) herokuapp (.) com / configuration.js was used against amapur.) de

In addition to setting up the Heroku accounts and implementing the skimmer code and data collection systems, the scheme required the websites of the intended sellers to be compromised by means that are currently unknown (although some sites have unpaired web apps) had). Attackers then injected a single code line into the infected sites. The injected JavaScript, which was hosted on Heroku, would check the current page for the Base64-encoded string “Y2hlY2tvdXQ =” – which translates to “checkout”.

When the string was detected, the malicious JavaScript loaded an iframe that skimmed the data from the payment card and sent it, encoded in Base64 format, to the Heroku account. The skimmer caused by iframe contained an overlay on top of the legitimate payment form that looked identical to the real one. Below are three screenshots that show the schedule in action:

Enlarge / The exfiltration mechanism Enlarge / The used iframe.

The fake payment form.

Segura said internet searches suggest that the skimmers were hosted on Heroku for about a week. He was not the only one who noticed.

Another one at @heroku

hxxps: //stark-gorge-44782.herokuapp nl / integration.js (.). False form in an iframe. Data goes to hxxps: //stark-gorge-44782.herokuapp (.) Com / config.php? Id =

– Denis (@unmaskparasites) December 2, 2019

It is not easy for the average end user to detect skimmers like the one that Segura has documented. Once the map data has been filtered, users receive an error message instructing them to reload the page, but such errors often happen on legitimate sites that they are not a clear sign of fraud. And in any case, by the time the message appears, the card has already been compromised. More advanced users who want to know if they have been compromised can get logs or webcaches for the four Heroku links mentioned above.

How to block YouTube ads? – It’s easy to block YouTube ads

How to block YouTube ads? A long-awaited question is finally answered thanks to a Redditor for the trick! A Redditor posted a cool trick...

Huawei MediaPad T5 WIFI Edition Tablet arrived in India

We have actually got good news for Indian Huawei fans. The Chinese company has arrived in India with its WIFI- enabled tablet called Huawei...

Facebook snapped up Giphy the GIF sharing giant for $400 million

Facebook has a new acquisition under itsbelt A Lot Of of the world may be tightening its belt as the economy stumbles thanks to the...


Please enter your comment!
Please enter your name here