Css style

Hackers hide a web skimmer in a website’s CSS files

Over the past two years, cybercrime groups have used an assortment of tricks to hide credit card theft code (also known as web skimmers Where Magecart Scripts) in various places in an online store in an attempt to avoid detection.

Places where web skimmers have been found in the past include indoor images such as those used for site logos, favicons, and social media networks; added to popular JavaScript libraries such as jQuery, Modernizr and Google Tag Manager; or hidden inside site widgets like live chat windows.

The last of those weird places is, believe it or not, CSS files.

Stand up for cascading style sheetsCSS files are used in browsers to load rules for styling elements of a web page using CSS language.

These files typically contain code describing the colors of different page elements, text size, padding between different elements, font settings, and more.

Web skimmer gang experiments with CSS

However, CSS isn’t what it was in the early 2000s. Over the past decade, CSS has evolved into an incredibly powerful utility that web developers now use to create powerful animations with little or no JavaScript.

One of the recent additions to the CSS language has been the addition of CSS variables to store content that can be reused and invoked later.

Willem de Grootthe founder of the Dutch security company Blood Safety (SanSec)Recount ZDNet today that at least one group of web skimmers uses CSS variables.

Web scum gangs gain access to a store and then modify its CSS and JavaScript files with malicious code.

Inside the CSS code, they add a CSS variable that stores the URL location of the Web Skimmer code they want to load in a hacked store. This CSS variable is invoked from harmless-looking JavaScript planted in another part of the store.


The CSS variable in the CSS file

Image: San Sec


The JavaScript code invoking the CSS variable

Image: San Sec

Web security tools typically only scan JavaScript code, not CSS. Moreover, they only analyze a static version of the JavaScript code, without actually executing it.

This is done to avoid creating empty baskets on online stores and polluting a store’s analytics platform. This means that the malicious code hidden in the CSS variable would not have been detected on most platforms, even if they were using fairly decent web application firewalls and web security scanners.

“It was […] a pretty standard keylogger,” de Groot said. ZDNet when we asked him to describe the web skimmer code he found today.

“It appears to have been taken offline in the last hour since our tweet,” he added.

“We found a handful of stores that were victims of this injection method,” the SanSec founder also said. ZDNet.

“However, the infrastructure has been in place since September and has already been used for several dozen more traditional attacks. This CSS disguise looks like a recent experiment.”

Most skimmers are invisible

But while this technique of loading skimmer code using CSS rules as proxies is certainly innovative, de Groot says it’s not what store owners and online shoppers should worry about.

“While most of the research relates to JavaScript skimming attacks, the majority of skimming happens on the server, where it’s completely invisible,” de Groot said.

“About 65% of our forensic investigations this year found a server-side skimmer that was hidden in the database, PHP code, or a Linux system process.”

As ZDNet Explained in an article Monday about another of SanSec’s findings, the easiest way for shoppers to protect themselves against web skimmer attacks is to use virtual cards designed for one-time payments.

Provided by some banks or online payment services, they allow shoppers to put a fixed amount of money into a virtual debit card that expires after a transaction or a short period of time. If the card details are stolen by attackers, the card data is useless once the virtual card expires.