Hackers hide web skimmer inside a website's CSS files

Previously, security researchers found web skimmers (Magecart scripts) inside favicons, site logos, live chat windows, and, most recently, in social media sharing buttons.

CSS

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.

Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows.

The latest of these odd places is, believe it or not, CSS files.

Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page's elements with the help of the CSS language.

These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.

Web skimmer gang experiments with CSS

However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript.

One of the recent additions to the CSS language was the addition of CSS variables for storing content that could be reused and invoked at later stages.

Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that at least one web skimmer gangs  is using CSS variables.

Web skimmer gangs gain access to a store and then modify its CSS and JavaScript files with malicious code.

Inside the CSS code they add a CSS variable which stores the URL location of the web skimmer code they want to load inside a hacked store. This CSS variable is invoked from innocuous looking JavaScript code planted in another part of the store.

sansec-css.jpg

The CSS variable in the CSS file

Image: SanSec
css-skimmer.png

The JavaScript code invoking the CSS variable

Image: SanSec

Web security tools usually scan only JavaScript code and not CSS. Furthermore, they only scan a static version of the JavaScript code, without actually executing it.

This is done to avoid creating empty shopping carts on online stores and polluting a shop's analytics platform. This means the malicious code hidden inside the CSS variable would has go undetected on most platforms, even if they used fairly decent web application firewalls and web security scanners.

"It was [...] a fairly standard keystroke logger," de Groot told ZDNet when we asked him to describe the web skimmer code he found today.

"It seems to have been taken offline in the last hour, since our tweet," he added.

"We found a handful of victim stores with this injection method," the SanSec founder also told ZDNet.

"However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment."

Most skimmers are invisible

But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.

"While most research concerns JavaScript skimming attacks, the majority of skimming happens on the server, where it is completely invisible," de Groot said.

"About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process."

As ZDNet explained in a piece on Monday about another of SanSec's findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.

Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card's details get stolen by attackers, the card data is useless once the virtual card expires.