Attackers are looking for credit card numbers on Microsoft IIS servers running an older and vulnerable version of ASP.NET, says Malwarebytes.

Credit card phishing
Image: iStockphoto/weerapatkiatdumrong

Online credit card skimming is a common attack method whereby cybercriminals hack into websites and servers to scan for credit card numbers used in e-commerce transactions. In targeting e-commerce sites, attackers typically hit LAMP (Linux, Apache, MySQL, and PHP) environments due mostly to their ubiquity and popularity. However, a new card skimming campaign analyzed by the security firm Malwarebytes is aimed at sites running Microsoft’s Internet Information Services (IIS) and ASP.NET.

Most of the card skimming activities observed by Malwarebytes have been against e-commerce content management systems (CMS) such as Adobe Magento and plugins such as WooCommerce, the company said in a blog post published Monday.

Further, such attacks often are directed against the open-source LAMP platforms, which are favored by many individuals and organizations. But this attack, which surfaced in mid-April, is aimed at the more unusual target of ASP.NET-based sites running Microsoft IIS.

The attack has already compromised at least a dozen websites, including sports organizations, health and community associations, and even a credit union. The attackers gain the necessary access to scan for credit card numbers by directly or remotely injecting malicious code into existing JavaScript libraries. The skimmer is designed to look not just for credit card numbers but for passwords, though the password functionality in the source code didn’t appear to be working correctly, according to Malwarebytes.

A snapshot of victim sites with compromised JavaScript libraries. Image: Malwarebytes

Though ASP.NET isn’t as popular a web server environment as PHP, it’s still prevalent among many websites that run a shopping cart feature. All of the compromised sites had a shopping portal set up, which is why they were hit by the attackers.

« Attackers do not need to limit themselves to the most popular e-commerce platforms, » Malwarebytes said in its blog post. « In fact, any website or technology is fair game, as long as it can be subverted without too much effort. In some cases, we notice ‘accidental’ compromises, where some sites get hacked and injected even though they weren’t really the intended victims. »

Another common thread of the compromised sites is that they were all running ASP.NET 4.0.30319, a version no longer supported by Microsoft and one that’s beset with multiple vulnerabilities. Some of the affected sites have since resolved the compromise. Malwarebytes said that it contacted the remaining sites to alert them to the breach with the hope that they would secure their environment.

« Digital skimming is a growing threat which no longer only targets a specific type of e-commerce software, » said Jerome Segura, director of threat intelligence for Malwarebytes Labs. « As a result, it is important for organizations to go beyond PCI compliance and harden their infrastructure. Regular reviews of server logs can also provide a wealth of information about the types of attacks a company is under and how to best respond to them. »

What should you do if your organization may have been compromised by this attack or is still running an unsupported version of ASP.NET?

« Affected organizations should start the remediation process by identifying their assets, making full backups (if they haven’t), and then proceeding to remove any malware artifacts, » Segura said. « As far as updating the software, this can be a more delicate process and where a web application firewall may be useful to help them buy some time to plan for the upgrade process. »

Microsoft also offers several guides on how to upgrade different versions of ASP.NET at its .NET Framework documentation page.