Payment card skimmers have hit four online merchants with help from Heroku, a cloud provider owned by Salesforce, a researcher has found.
Heroku is a cloud platform designed to make things easier for users to build, maintain, and deliver online services. It turns out that the service also makes things easier for crooks to run skimmers that target third-party sites. On Wednesday, Jérôme Segura, director of threat intelligence at security provider Malwarebytes, said he found a rash of skimmers hosted on Heroku. The hackers behind the scheme not only used the service to host their skimmer infrastructure and deliver it to targeted sites. They also used Heroku to store stolen credit-card data. Heroku administrators suspended the accounts and removed the skimmers within an hour of being notified, Segura told Ars. This is not the first time cloud services have been abused by payment card skimmers. In April, Malwarebytes documented similar abuse on Github. Two months later, the security provider reported skimmers hosted on Amazon S3 buckets. Abusing a cloud provider makes good sense from a crook's point of view. It's often free, saves the hassle of registering look-alike domain names, and delivers top-notch availability and bandwidth.
Why host skimmers yourself when you can abuse a service to do it for free?
We will likely continue to observe web skimmers abusing more cloud services as they are a cheap (even free) commodity they can discard when finished using it. From a detection standpoint, skimmers hosted on cloud providers may cause some issues with false positives. For example, one cannot blacklist a domain used by thousands of other legitimate users.
Cybercriminals are abusing platform-as-a-service (PaaS) cloud provider Heroku to build web skimming apps and steal customer data.