Year-Long Web Skimming Campaign Called “Silent Skimmer” Targets Online Payment Businesses

For over a year, a financially motivated campaign has been directing its web skimming efforts at online payment businesses in Asia Pacific, North America, and Latin America.

The BlackBerry Research and Intelligence Team, tracking this campaign known as Silent Skimmer, attributes it to an actor proficient in the Chinese language. Prominent victims of this campaign include online businesses and point-of-sale (PoS) service providers.

The Canadian cybersecurity firm explained that the campaign operators exploit vulnerabilities in web applications, especially those hosted on Internet Information Services (IIS). Their primary objective is to compromise the payment checkout page and siphon off sensitive payment data from website visitors.

Once they gain an initial foothold, threat actors employ various open-source tools and living-off-the-land (LotL) techniques for activities like privilege escalation, post-exploitation, and code execution.

This attack sequence ultimately leads to the deployment of a PowerShell-based remote access trojan (server.ps1), enabling remote control of the host. This host, in turn, connects to a remote server housing additional utilities, such as download scripts, reverse proxies, and Cobalt Strike beacons.

According to BlackBerry, the ultimate goal of this intrusion is to infiltrate the web server and insert a scraper into the payment checkout service using a web shell. This allows the attackers to stealthily capture financial information submitted by victims on the webpage.

An analysis of the adversary’s infrastructure reveals that they select virtual private servers (VPS) for command-and-control (C2) based on the geographic location of their victims in an attempt to avoid detection.

The campaign’s wide range of targeted industries and regions, along with the type of servers compromised, suggests an opportunistic rather than a deliberate approach.

In a related development, Sophos recently disclosed details of a scam involving fraudulent cryptocurrency investment schemes on dating apps like MeetMe, which has resulted in substantial illicit profits for the actors.

What distinguishes this latest operation is the use of liquidity mining lures, enticing users with the promise of regular income at high rates of return for investing in a liquidity pool, where virtual assets are parked to facilitate trades on decentralized exchanges.