Jscambler has discovered a web skimming campaign that has been active for at least a year. The operation has compromised roughly 40 e-commerce sites, the security vendor states. The campaign is conducted by a group dubbed “Group X” that allegedly exfiltrated the stolen card data to a server in Russia. The hackers used a supply-chain technique to compromise the targeted site. Jscrambler wrote that the cybercriminals exploited a JavaScript library named Cockpit which offers free web marketing and analytics service. According to the report, the service was discontinued several years ago in December 2014.
Jscrambler stated that it is common for web owners to leave deprecated libraries like this on their sites. This means that dead links still stored in the libraries can be compromised by threat actors, which the security vendor states is due to a lack of insight into third-party code. Security teams often do not have sufficient visibility into the third-party code running on their sites, meaning that they are unable to identify whether it has been compromised. In this case, the hackers acquired the domain name previously registered to and hosting the library and used it to create a skimming script with the same URL. Re-registering the domain and reconfiguring it led to the compromise of the e-commerce websites.
Read More: Supply Chain Web Skimming Attacks Hit Dozens of Sites