Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Payment Card Skimming Group Deployed Raccoon Infostealer

Researchers: Fraudsters Hit E-Commerce Sites For Payment Credential Theft
Payment Card Skimming Group Deployed Raccoon Infostealer
Timeline of "FakeSecurity" attacks starting in February of this year (Source: Group-IB)

A JavaScript card skimmer group dubbed "FakeSecurity" recently deployed the Raccoon information stealer malware in order to target e-commerce sites to steal payment card details from victims, according to security firm Group-IB.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The e-commerce websites were targeted by the fraudsters between February and September in four separate campaigns, which delivered the Raccoon infostealer using several tactics, the report notes. The attacks, however, mainly relied on phishing emails with malicious documents to spread the malware.

In addition to Raccoon, the report notes, attackers also used another infostealer malware variant called Vidar along with the Ave Maria remote access Trojan, or RAT, to infect the victims.

"Raccoon Stealer collects system information, account data, bank card data and autofill form details from browsers and valid crypto wallets," Group-IB researcher Nikita Rostovcev notes in the report released Monday. "Group-IB experts concluded that the purpose of the campaign in question was to steal payment and user data."

It is unclear how many victims were targeted using these tactics. In the one campaign during September, the fraudsters targeted more than 20 online sites with malware, according to the report.

FakeSecurity Campaign

FakeSecurity is a type of JavaScript sniffer first discovered by Group-IB in 2018 after the malware was used to skim credit card and other customer data from websites running Adobe's Magento e-commerce platform, according to the report.

In the latest campaign tied to FakeSecurity, the fraudsters deployed the Vidar password stealer in the first two waves of the attack but, the Group-IB researchers note, the attackers switched to the Raccoon stealer and the Ave Maria RAT for the second wave, which ran from July to September.

The malware was delivered through phishing pages created using Mephistopheles phishing kit - an online platform used by cybercriminals to buy fake web page templates for delivering payloads. The attackers also delivered the malware as malicious Microsoft Excel documents. If enabled, these malicious documents installed the malware on the victims' devices, according to the report.

In one of the attacks using Mephistopheles kit, the hackers spread the payload as an Adobe Reader plug-in update on a phishing page that they created, the report notes.

"The documents-cloud-server[.]co.za domain contains a web fake imitating an Adobe Reader plugin update page," Rostovcev notes in the report. "To continue viewing the document, the user is asked to download a plugin. By clicking on 'Download plugin,' the user activates a malware download."

In addition to malicious documents and phishing kit, the report notes the attackers also used the instant messaging platform Telegram to deliver Raccoon, as it helped the attackers encrypt the IP addresses connecting to the malware's command-and-control servers, thus helping them to bypass blocking of its servers.

Raccoon Activities

Raccoon is a custom malware that was first spotted for sale in Russian underground forums in April 2019. It can be rented for $75 per week or $200 per month, according to the report.

In February, a report by security firm CyberArk found that Raccoon has added new capabilities, giving it the ability to steal data from more than 60 applications (see: 'Raccoon' Infostealer Now Targeting 60 Apps: Report ).

Another report, by security firm Cybereason, noted that Raccoon also allows cybercriminals to exfiltrate data from a wide range of cryptocurrency wallets, including electrum, ethereum, exodus and jaxx. And the infostealer can now target various email clients, such as Thunderbird, Outlook and Foxmail.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.