[BreachExchange] Hackers use e-skimmer that exfiltrates payment data via Telegram

[Destry Winant]

https://securityaffairs.co/wordpress/107819/malware/e-skimmer-leverages-telegram.html

Researchers observed a new tactic adopted by Magecart groups, the
hackers used Telegram to exfiltrate stolen payment details from
compromised websites.

Researchers from Malwarebytes reported that Magecart groups are using
the encrypted messaging service Telegram to exfiltrate stolen payment
details from compromised websites.

Attackers encrypt payment data to make identification more difficult
before transferring it via Telegram’s API into a chat channel.

“For threat actors, this data exfiltration mechanism is efficient and
doesn’t require them to keep up infrastructure that could be taken
down or blocked by defenders,” explained Jérôme Segura of
Malwarebytes. “They can even receive a notification in real time for
each new victim, helping them quickly monetize the stolen cards in
underground markets.”

The new technique was first publicly documented by the security
researcher @AffableKraut who spotted a credit card skimmer using
Telegram to exfiltrate the data. The experts used data shared by
security firm Sansec.

Threat actors deploy the e-skimmers on shopping websites by exploiting
known vulnerabilities or using stolen credentials.

The software skimmer looks for fields of interest, such as billing,
payment, credit card number, expiration, and CVV. The skimmer also
checks for the usual web debuggers to prevent being analyzed by
security researchers.

The use of Telegram represents the novelty of the Magecart attacks
analyzed by Malwarebytes.

“The fraudulent data exchange is conducted via Telegram’s API, which
posts payment details into a chat channel,” continues Segura. “That
data was previously encrypted to make identification more difficult.”

The attackers use Telegram to avoid setting up a dedicated C2
infrastructure to collect the stole payment details from the infected
sites, the choice makes more difficult the detection of malicious
traffic within compromised organizations.

Another advantage consists in the possibility to receive a
notification in real time for each new victim, in this way threat
actors can quickly monetize the stolen cards in the cybercrime
ecosystem.

“For threat actors, this data exfiltration mechanism is efficient and
doesn’t require them to keep up infrastructure that could be taken
down or blocked by defenders.” concluded the post.

“Defending against this variant of a skimming attack is a little more
tricky since it relies on a legitimate communication service. One
could obviously block all connections to Telegram at the network
level, but attackers could easily switch to another provider or
platform (as they have done before) and still get away with it.”