CERT-IN has recently reported about an ongoing credit card skimming campaign on multiple e-commerce sites worldwide. CERT-IN reported that the attackers were targeting e-commerce websites due to the online crowd they generate. The other reason they were chosen was because these online e-commerce platforms use MySQL, PHP and APACHE and Linux in the LAMP environment.
These attackers targeted websites which were specifically hosted on Microsoft’s IIS Server with ASP.NET web application framework. Most affected websites belonged to Sports organizations, Health organizations and E-Commerce websites. The attackers targeted servers that used ASPT.NET, though ASP.NET version 4.0.30319 and below was affected by the attack which is not now not officially supported by Microsoft.
The Severity of the issue has been set to Medium though it is recommended to fix things on your side.
the IOC shared by CERT-IN are:
Regex to find ASP.NET skimmer injections:
(jquery\w+\|\|undefined;jquery\w+={1,5}undefined&&)|(!window\.jqv\w+&&\(jqv\w+=function\(a\)\{return)
Skimmer hosting site:
- idpcdn-cloud[‘.’]com
- joblly[‘.’]com
- hixrq[‘.’]net
- cdn-xhr[‘.’]com
- rackxhr[‘.’]com
- thxrq[‘.’]com
- hivnd[‘.’]net
- 31[‘.’]220[‘.’]60[‘.’]108
What we recommend to perform if your website seems vulnerable to such attacks:
- Update your ASP.NET web framework, Database and IIS web servers.
- Apply patches on the server system operating system whichever available through your system manufacturer.
- remap all the ports on the servers and use only those ports that are necessary.
- Apart from port remappings, also perform various security audits of Web application, database servers each time any vulnerability is known.
- It is a must and recommended to use any form of SIEM[Security Information and Event Management] and Database Activity Monitoring[DAM] solutions.
- Consult your security experts of your firm or who works in your company for suggestions and fixes implementation.
Read more here: CERT-IN , Malwarebytes .