Recent reports indicate that a dedicated credit card skimming service known as Caramel is now growing in terms of popularity.

As a result, the service designed to facilitate the theft of payment card details is enabling threat actors of relatively low skill to access a simple and automated method to make a start in the financial fraud scene.

Payment card skimmers are a type of malicious script injected into compromised e-commerce sites that silently await customers making an online purchase. As soon as a purchase is made and a financial transaction initiated, the skimming script steals the credit card’s details and transmits them back to a remote server, where they can be harvested by threat operators.

Malicious actors then utilise these card details to make online purchases of their own or sell them on via marketplaces on the dark web to other cybercriminal groups. Often these details are sold for exceptionally small sums, but can cause considerable harm to the individuals they belong to. Along with spending from accounts connected to the cards, stolen cards can cause havoc, damaging a person’s credit record and ruining their chance of acquiring lending opportunities in the future.

Caramel – a skimmer-as-a-service

The brand new card skimming service known as Caramel was discovered by teams at Domain Tools. Researchers state that the cybercriminal platform is operated by threat operators from a Russian organisation called CaramelCorp.

This skimmer-as-a-service provides subscribers with an insidious skimmer script, full deployment instructions, along with a panel for campaign management. Effectively, this package equips potential purchasers with everything they need to launch a career in online credit card theft.

At present, the Caramel service sells solely to Russian-speaking cybercriminals, initially employing a vetting process that blocks those utilising machine translation and those who lack experienced in the field of financial fraud.

For $2,000, threat actors can buy a lifetime subscription. While this is not the most affordable product for new threat operators, it pledges to deliver complete customer support, evolving measures to avoid detection and code upgrades.

Designed to be discreet

While unverified to date, the sellers of the skimmer service claim that Caramel can get past a variety of protection services, including Akamai, Cloudflare and Incapsula. Russian hackers buying the service are also provided with a guide on methods using JavaScript, designed to get them up and running quickly. According to the seller, the methods offered work effectively in specific content management systems (CMS).

The payment card skimming scripts have been written in JavaScript. This allows Caramel to offer its subscribers a wide variety of obfuscation methods to prevent their activities from being detected easily.

For this type of financial fraud to work effectively, it is essential that skimming script remains hidden. For this reason, malicious code is never designed to interfere with the legitimate order of a product while stealing car details. When an item is ordered it must be processed and sent out to the buyer to ensure no alarms are raised. This way, a card skimmer can remain in place for many months collecting details.