India’s cyber-security agency, the Computer Emergency Response Team (CERT-In), has issued an alert against credit card skimming frauds on e-commerce sites.

“It has been reported that credit card skimming through various e-commerce sites are spreading worldwide. Attackers are typically targeting e-commerce sites because of their wide presence, popularity and the environment LAMP (Linux, Apache, MySQL, and PHP),” the cyber-security agency said in an official post.

In this cyber-attack, attackers remotely inject malicious code into one of their legitimate JavaScript libraries or “inject full skimming code directly into the compromised JavaScript library.”

The code is designed to obtain users’ credit card numbers as well as passwords.

Attackers are now targeting websites which are hosted on Microsoft’s IIS server running with the ASP.NET web application framework, as per the release.

Websites hosted on ASP.NET version 4.0.30319 are likely to be the most vulnerable to such attacks as the version is no longer officially supported by Microsoft. This means that newer security patches for known/unknown vulnerabilities may not be available.

According to CERT-In, sports organisations, health, and e-commerce websites, among others, are affected by this attack.

The cyber-security agency advises users to use the latest version of the ASP.NET framework and to apply new security patches, when available, to prevent such attacks.

Users are also advised to restrict or deny all access except those that are absolutely necessary. They must also conduct regular security checks of the web application, web server, and database server, and after every major configuration, change and plug the vulnerabilities, if any found.

Related Topics
comment COMMENT NOW