Shimming in cybersecurity: Definition, types of attacks, and protection methods

What is shimming in cybersecurity?

Shimming attacks give hackers access to sensitive data shared throughout the system, such as passwords, credit card details, and Social Security numbers. With this information, shimmers can easily engage in identity theft.

However, shimming attacks can also have broader consequences for the entire system, not just individuals. Shimming attacks can download spyware, ransomware, or another form of malware that gives the hackers control of the entire system.

How does shimming in cybersecurity work?

Shimming in cybersecurity works by inserting shims into the system library between a legitimate application and the operating system it runs on. From there, the shim intercepts API calls. It directs the application to act according to the hacker’s wishes, which includes downloading malware, running malicious processes, or allowing access to sensitive information like passwords, personal data, or financial information.

Types of shimming attacks

Multiple types of shimming attacks use the same basic techniques in unique ways.

• DLL shimming uses Windows Dynamic Link Library (DLL) to change a program’s function. A DLL file can be executed dynamically by different programs and applications. Hackers use these systems to upload a shim to the DLL, which then runs malicious activities that bypass security measures.
• API shimming, also known as API hooking, involves using shims to intercept the application programming interface (API). APIs enable applications to request services or communicate with the operating system, other software, or between an application’s servers and the end-user's device. By interrupting this communication process, shims can block API calls, execute malicious programs, or expose sensitive information.
• Binary shimming is an attack that targets binary applications to modify the program code. Binary shimming works its way into device memory, and the shim will be triggered every time the designated process is launched.
• Browser shimming, also known as browser-in-the-middle shimming, is a technique that allows hackers to spy on a user’s activities. Browser shimming secretly inserts the cybercriminal’s malicious code between the user’s browsers and the system server. Browser shimming typically goes hand-in-hand with phishing emails because hackers convince victims to click on a malicious link, which redirects the user to a malicious website to trick them into downloading a malicious browser extension.

Examples of shimming attacks

Shimming attack examples fall into two main categories: data theft and malware. Some high-profile examples of shimming attacks include:

• The Naval War College attack. In 2006, China-based hackers compromised thousands of Pentagon networks and millions of other connected devices through a shim within the U.S. Naval War College’s systems.
• The German cyberattack. In 2007, Chinese hackers gained unauthorized access to German government files by shimming Microsoft Office files.
• The Stuxnet worm. In 2010, it targeted the supervisory control and data acquisition systems involved in Iran’s nuclear programs. While nothing has been confirmed, many journalists believe that the United States government played a role in creating it.

What are the signs of a shimming attack?

Shimming attacks can be very difficult to detect, but a few signs can help you identify cyber threats that work around your system’s security measures:

• Pop-ups. Sudden pop-ups could indicate a shim trying to open a new, malicious window or download malware onto your devices.
• Changes to your browser or system settings. Shims often alter your browser or system settings. If you notice any changes that you didn’t make, it may be a sign of a shim.
• Unauthorized logins. If you notice account logins from strange locations, a cybercriminal may have gotten hold of your login credentials and is now using them to access your accounts.

How to protect from shimming attacks

Basic cybersecurity best practices can help protect from shimming attacks. Follow these anti-shimming tips:

• Keep everything up-to-date. Make sure that you always update your operating systems, applications, and software. These new updates address security gaps and stop cyber threats from attempting to exploit vulnerabilities within systems.
• Avoid phishing emails. Never click on a suspicious link or download an attachment from a sender you don’t know. Phishing emails may introduce shims to your device. Report malicious emails to the Federal Trade Commission, delete the email, and block the sender.
• Monitor your online accounts. Keep a close eye on your account login history. If you notice an unauthorized login from a strange location, that could be a sign of shimming.

How do shimming attacks compare to other types of attacks?

Shimming is just one of many cyber threats, so it’s important to understand how shimming attacks compare to other types of cyberattacks designed to bypass security measures, gain control, and access sensitive data.

Shimming vs. refactoring

Refactoring restructures a computer’s entire existing code, whereas shimming inserts a small piece of code that can change how programs operate. Refactoring has many legitimate uses, including performance optimization and bug reduction.

Shimming vs. spoofing

Shimming inserts code to alter application behavior, but spoofing is a cybercrime technique that falsifies data to impersonate legitimate processes.

Shimming vs. DLL injection

While shimming and dynamic link library (DLL) injections are similar, they are distinct techniques. DLL injection involves directly inserting a malicious DLL into the memory space of a running process. This allows attackers to run code within the context of a legitimate process, which can bypass certain security measures.

Shimming vs. code injection

Code injection is a cybercrime technique that inserts code into an application. Shimming attacks differ from code injection because they involve inserting a code between applications and systems, not into the application itself.

Shimming vs. process hollowing

Process hollowing is a cyberattack in which hackers replace a legitimate process with malicious code. Unlike shimming, which inserts code into the system library, process hollowing swaps out an entire process. Cybercriminals often use links and attachments in phishing emails to facilitate this attack.

Shimming vs. image hijacking

Image hijacking inserts code into an application through a malicious image. While shimming introduces code at the system level, image hijacking does so within the application.

Protecting yourself from shimming and all sorts of cyberattacks is crucial, so always be on your guard and use anti-malware software to avoid exposing sensitive information or losing control of your devices.