{ "id": "a91192d2-a5c0-42bd-b185-ae9cd4f8b1d7", "created_at": "2026-04-06T02:13:00.902741Z", "updated_at": "2026-04-10T13:12:36.681473Z", "deleted_at": null, "sha1_hash": "5c4ff737523066bf4f97e1a19613189aa290a25b", "title": "There’s an app for that: web skimmers found on PaaS Heroku", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 570337, "plain_text": "There’s an app for that: web skimmers found on PaaS Heroku\r\nBy Jérôme Segura\r\nPublished: 2019-12-03 · Archived: 2026-04-06 01:50:46 UTC\r\nCriminals love to abuse legitimate services—especially platform-as-a-service (Paas) cloud providers—as they are\r\na popular and reliable hosting commodity used to support both business and consumer ventures.\r\nCase in point, in April 2019 we documented a web skimmer served on code repository GitHub. Later on in June,\r\nwe observed a vast campaign where skimming code was injected into Amazon S3 buckets.\r\nThis time, we take a look at a rash of skimmers found on Heroku, a container-based, cloud PaaS owned by\r\nSalesforce. Threat actors are leveraging the service not only to host their skimmer infrastructure, but also to\r\ncollect stolen credit card data.\r\nAll instances of abuse found have already been reported to Heroku and taken down. We would like to thank the\r\nSalesforce Abuse Operations team for their swift response to our notification.\r\nAbusing cloud apps for skimming\r\nDevelopers can leverage Heroku to build apps in a variety of languages and deploy them seamlessly at scale.\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 1 of 7\n\nHeroku has a freemium model, and new users can experiment with the plaform’s free web hosting services with\r\ncertain limitations. The crooked part of the Magecart cabal were registering free accounts with Heroku to host\r\ntheir skimming business.\r\nTheir web skimming app consists of three components:\r\nThe core skimmer that will be injected into compromised merchant sites, responsible for detecting the\r\ncheckout URL and loading the next component.\r\nA rogue iframe that will overlay the standard payment form meant to harvest the victim’s credit card data.\r\nThe exfiltration mechanism for the stolen data that is sent back in encoded format.\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 2 of 7\n\niframe trick\r\nCompromised shopping sites are injected with a single line of code that loads the remote piece of JavaScript. Its\r\ngoal is to monitor the current page and load a second element (a malicious credit card iframe) when the current\r\nbrowser URL contains the Base64 encoded string Y2hlY2tvdXQ= (checkout).\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 3 of 7\n\nThe iframe is drawn above the standard payment form and looks identical to it, as the cybercriminals use the same\r\ncascading style sheet (CSS) from portal.apsclicktopay.com/css/build/easypay.min.css.\r\nFinally, the stolen data is exfiltrated, after which victims will receive an error message instructing them to reload\r\nthe page. This may be because the form needs to be repopulated properly, without the iframe this time.\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 4 of 7\n\nSeveral Heroku-hosted skimmers found\r\nThis is not the only instance of a credit card skimmer found on Heroku. We identified several others using the\r\nsame naming convention for their script, all seemingly becoming active within the past week.\r\nIn one case, the threat actors may have forgotten to use obfuscation. The code shows vanilla skimming, looking\r\nfor specific fields to collect and exfiltrate using the window.btoa(JSON.stringify(result)) method.\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 5 of 7\n\nWe will likely continue to observe web skimmers abusing more cloud services as they are a cheap (even free)\r\ncommodity they can discard when finished using it.\r\nFrom a detection standpoint, skimmers hosted on cloud providers may cause some issues with false positives. For\r\nexample, one cannot blacklist a domain used by thousands of other legitimate users. However, in this case we can\r\neasily do full qualified domain (FQDN) detections and block just that malicious user.\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 6 of 7\n\nIndicators of Compromise (IOCs)\r\nSkimmer hostnames on Heroku\r\nancient-savannah-86049[.]herokuapp.com\r\npure-peak-91770[.]herokuapp[.]com\r\naqueous-scrubland-51318[.]herokuapp[.]com\r\nstark-gorge-44782.herokuapp[.]com\r\nSource: https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nhttps://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.malwarebytes.com/blog/news/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku" ], "report_names": [ "theres-an-app-for-that-web-skimmers-found-on-paas-heroku" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775441580, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c4ff737523066bf4f97e1a19613189aa290a25b.pdf", "text": "https://archive.orkl.eu/5c4ff737523066bf4f97e1a19613189aa290a25b.txt", "img": "https://archive.orkl.eu/5c4ff737523066bf4f97e1a19613189aa290a25b.jpg" } }