Welcome to the VB2021 conference!

arrow left Back

Hunting web skimmers with VirusTotal and YARA

Jérôme Segura (Malwarebytes)
Does shopping online sometimes feel like playing Russian roulette? During the past few years, the web threat landscape has seen an increase in JavaScript-based credit card skimmers, also known under the name Magecart. These code snippets can steal your payment information and other personal details in the blink of an eye.

To keep up with this threat we can deploy various tools such as web crawlers that mimic a user browsing to an online store in order to collect any malicious code loaded during the process.

In this presentation we introduce an additional technique that is less infrastructure heavy since it relies on using a combination of VirusTotal and YARA rules. Using the VirusTotal hunting API and a script that the author will share on GitHub, we can automate the process of extraction of new online shops that have been compromised as well as gates used by criminals for data exfiltration.

This talk with provide those interested in web skimming with the tools and rules they need to start hunting down and reporting on new attacks.
Jérôme Segura
Malwarebytes

Jérôme is Director of Threat Intelligence at Malwarebytes, where he manages an entirely remote team. He has spent over a decade analysing exploit kits, malvertising and other web threats. He has participated in takedowns and helped law enforcement prosecute scammers. Jérôme enjoys taking technical topics and sharing them in a straightforward way via blogs.