Researcher Exposes WebSockets’ Role in Credit Card Skimming

In the digital age, the art of thievery has evolved beyond the physical realm, as cybercriminals continually refine their tactics. A striking example of this evolution is the use of WebSockets in credit card skimming attacks, a method that is both sophisticated and alarmingly effective. Security researcher Ben Martin described this in a detailed blog.

Traditionally, credit card skimming involved physical devices attached to ATMs or point-of-sale systems. However, with the advent of online shopping, cybercriminals have shifted their focus to e-commerce websites. The utilization of WebSockets – a technology designed to facilitate real-time communication between web servers and clients – marks a significant escalation in these cyberattacks.

WebSockets offer a distinct advantage to attackers: they enable the establishment of a persistent, two-way communication channel between the client and server. This capability, initially intended for efficient data transfer in applications like online gaming or financial trading, has been co-opted by hackers for malicious purposes.

Example of skimmer inserting fake “Complete Order” button on checkout page. | Image: Sucuri

The process typically begins with the infiltration of an e-commerce website. Cybercriminals inject malicious JavaScript code into the website, which then overlays a fake “Complete Order” button on the legitimate checkout page. Unsuspecting customers who click on this button inadvertently hand over their credit card details to the attackers.

This skimming attack is particularly insidious because it uses the wss:// (WebSocket Secure) protocol. Unlike traditional HTTP/HTTPS traffic, WebSocket traffic is more challenging to monitor and analyze, making the malicious activities harder to detect.

A recent example involved a client who discovered that the checkout page of their e-commerce store had been tampered with, resulting in customer payment details being intercepted. The malicious code responsible for this was traced back to a secure WebSocket connection, indicating the sophisticated nature of the attack.

Analyzing WebSocket traffic requires advanced tools and expertise, adding an extra layer of complexity for security professionals. The attackers often use various obfuscation techniques to hide their activities further, making it even more challenging to trace the source and nature of the attack.

E-commerce website administrators must remain vigilant, especially during high-traffic periods like the holiday season. Simple compromises, such as a breached admin password, can lead to these skimming attacks. A defense-in-depth strategy is crucial, involving multiple layers of security measures to keep attackers at bay.

It’s also essential for website administrators to stay updated on the latest security practices, including hardening their WordPress administrator panels and regularly monitoring their sites for any signs of compromise.

The use of WebSockets in credit card skimming represents a dangerous advancement in cybercrime. While it offers a higher level of stealth and efficiency for attackers, it also poses significant challenges for detection and prevention.