Caramel credit card theft service is gaining popularity

A credit card theft service is growing in popularity, giving any unskilled malicious actor an easy, automated way to get started in the world of financial fraud.

Credit card skimmers are malicious scripts that are injected into hacked e-commerce websites that quietly wait for customers to make a purchase on the site.

Once the purchase is made, these malicious scripts steal the credit card details and send them back to remote servers to be collected by hackers.

Threat actors then use these cards to make their own online purchases or sell credit card details on dark web markets to other threat actors for as little as a few dollars.

The Caramel skimmer as a service

The new service was discovered by Domain toolswhich states that the platform is operated by a Russian cybercrime organization named “CaramelCorp”.

This service provides subscribers with a skimmer script, deployment instructions, and a campaign management panel, which is all a malicious actor needs to launch their own credit card theft campaign.

The Caramel service only sells to Russian-speaking hackers, using an initial verification process that excludes those who use machine translation or who are inexperienced in this area.

A lifetime subscription costs $2,000, which isn’t cheap for budding cybercriminals, but promises Russian-speaking hackers full customer support, code upgrades, and ever-changing anti-detection measures.

Caramel skimmer deployed at a Nigerian site
Caramel skimmer deployed at a Nigerian site (Domain Tools)

Vendors claim without verification that Caramel can bypass protection services from Cloudflare, Akamai, Incapsula and others.

Buyers receive a “quick start” guide to JavaScript methods that work particularly well in specific CMSs (content management systems).

Because credit card skimming scripts are written in JavaScript, Caramel offers subscribers a variety of obfuscation techniques to prevent them from being easily detected.

The Caramel JS Obfuscator Tool
The Caramel JS Obfuscator Tool (Domain Tools)

The collection of credit card data is done through the “setInterval()” method, which exfiltrates data between fixed periods. Although it does not appear to be an effective method, it can help steal details of even abandoned carts and incomplete purchases.

Finally, the administration of the campaigns is done via a panel where the subscriber can supervise the compromised e-shops, manage the gateways for receiving stolen data, etc.

caramel panel
The Caramel Control Panel (KELA)

In operation since 2020

Skimming campaigns aren’t new, and neither is Caramel. Bleeping Computer was able to find the first dark web postings offering the kit for purchase in December 2020.

2020 article promoting Caramel
2020 article promoting Caramel (KELA)

However, continued development and promotion helped Caramel become more popular in the underground community.

The existence of Caramel and other such skimming services removes the technical barrier to setting up and operating large-scale card skimming campaigns, potentially making skimming campaigns even more common.

For customers of e-commerce platforms, you can protect yourself from credit card skimmers by using private single-use cards, setting billing limits and restrictions, or simply using online payment systems instead of cards.

Comments are closed.