Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.
The latest of these odd places is, believe it or not, CSS files.
Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page’s elements with the help of the CSS language.
These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.
Web skimmer gang experiments with CSS
De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.
“It was […] a fairly standard keystroke logger,” de Groot told ZDNet when we asked him to describe the code he found today.
“It seems to have been taken offline in the last hour, since our tweet,” he added.
“We found a handful of victim stores with this injection method,” the SanSec founder also told ZDNet.
“However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”
Most skimmers are invisible
But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.
“About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process.”
As ZDNet explained in a piece on Monday about another of SanSec’s findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires.