More than half of attacks last year leveraged fileless or “malware-free” techniques, as hackers turn to stolen credentials in their efforts to breach corporate networks. The telecommunications industry also saw increased attacks from threat actors such as those from China and North Korea, which targeted the sector for its intellectual property and competitive intelligence.  Malware-free […] More

Over the past two years, cybercrime groups have used quite an assortment of tricks to hide credit card stealing code (also known as web skimmers or Magecart scripts) inside various locations of an online store for the purpose of avoiding getting detected.
Places where web skimmers have been found in the past include inside images such as those used for site logos, favicons, and social media networks; appended to popular JavaScript libraries like jQuery, Modernizr, and Google Tag Manager; or hidden inside site widgets like live chat windows.
The latest of these odd places is, believe it or not, CSS files.
Standing for cascading style sheets, CSS files are used inside browsers to load rules for stylizing a web page’s elements with the help of the CSS language.
These files usually contain code describing the colors of various page elements, the size of the text, padding between various elements, font settings, and more.
Web skimmer gang experiments with CSS
However, CSS is not what it was in the early 2000s. Over the past decade, the CSS language has grown into an incredibly powerful utility that web developers are now using to create powerful animations with little to no JavaScript.
One of the recent additions to the CSS language was a feature that would allow it to load and run JavaScript code from within a CSS rule.

Willem de Groot, the founder of Dutch security firm Sanguine Security (SanSec), told ZDNet today that this CSS feature is now being abused by web skimmer gangs.

Image: SanSec
De Groot says that at least one group is using malicious code added inside CSS files to load skimmers on online stores that record payment card data when users are completing checkout forms.
“It was […] a fairly standard keystroke logger,” de Groot told ZDNet when we asked him to describe the code he found today.
“It seems to have been taken offline in the last hour, since our tweet,” he added.

“We found a handful of victim stores with this injection method,” the SanSec founder also told ZDNet.
“However, the infrastructure has been in place since September and was previously used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”
Most skimmers are invisible
But while this technique of loading skimmer code by using CSS rules as proxies is certainly innovative, de Groot says that this is not what shop owners and online shoppers should be worried about.
“While most research concerns JavaScript skimming attacks, the majority of skimming happens on the server, where it is completely invisible,” de Groot said.
“About 65% of our forensic investigations this year found a server side skimmer that was hidden in the database, PHP code or a Linux system process.”
As ZDNet explained in a piece on Monday about another of SanSec’s findings, the simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
Provided by some banks or online payment services, they allow shoppers to place a fixed sum of money inside a virtual debit card that expires after one transaction or a small period of time. In case the card’s details get stolen by attackers, the card data is useless once the virtual card expires. More

The UK’s National Crime Agency (NCA) has publicly said it has nothing to do with a misleading poster designed to put fear into the hearts of parents and urge them to call the police if their children are using Kali Linux. The poster, made public by Twitter user @G_IW, has reportedly been distributed by local […] More

Image via Ant Rozetsky EVRAZ, one of the world’s largest steel manufacturers and mining operations, has been hit by ransomware, a source inside the company told ZDNet today. The infection has been identified as a result of the Ryuk ransomware strain. The ransomware infection has hit and brought down the company’s North American branches. These […] More

The US Federal Communications Commission (FCC) announced today new rules mandating that all US telecommunication providers implement caller ID authentication systems using a technical standard known as STIR/SHAKEN. The move must be completed by June 30, 2021, the FCC said in a press release. The STIR/SHAKEN protocol is considered today’s best defense against robocalls, an […] More