Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Thursday, 9 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Armor Warns E-Commerce Retailers of Increased Attacks; Magecart-Style, Credit Card Sniffing Attack Tool Now On Sale in the Dark Web

by The Gurus
December 17, 2018
in Cloud Security, Featured
Armor Warns E-Commerce Retailers of Increased Attacks; Magecart-Style, Credit Card Sniffing Attack Tool Now On Sale in the Dark Web
Share on FacebookShare on Twitter

Armor, a leading cloud security solutions provider, has found what it believes to be the first Magecart-style (credit card sniffing) attack tool to be openly offered for sale on the Dark Web. Previous Magecart-style attacks, (such as the British Airways and Newegg attacks for example), have been carried out by specific threat groups who have, from all accounts, used their own proprietary payment card sniffing tool and not a sniffing tool which has been openly sold on the Underground Hacker Markets.

According to the ad posted the first week of December, this Magecart-style attack tool is new and is being sold for $1,300 USD. The ad is on a Russian forum, and the threat actors selling the tool has been active in the Russian forums for over a year. He has purportedly also developed and made available for sale a banking trojan for the Android mobile operating system.

The Magecart-style attack tool is being advertised as containing two components: a standard universal (payment card) sniffer and a control panel. The control panel can be used to generate a custom credit card sniffer (JavaScript file) to work with any e-commerce site that employs Magento, OpenCart or OsCommerce payment forms. The payment card sniffer tool essentially watches for new payment card data being entered by shoppers into the payment form on the checkout pages of the e-commerce site you are targeting.

The payment card data is collected by the sniffer and sent off to a remote server under your control. Additionally, the tool also uses Secure Socket Layer (SSL) protocol to encrypt the outbound payment card data being collected, making it harder for security teams to see the data being exfiltrated from the e-commerce site.

Less than a month ago, on November 30th, Armor’s Threat Resistance Unit (TRU) released a Threat Alert, stating that it expected to see an increase in Magecart-style attacks coinciding with the holiday e-commerce rush, and as a natural next step in the evolution of Magecart attacks, stemming from the increased attention and reporting brought on by successful compromises reported over the last several months, including Ticketmaster, British Airways, Newegg and multiple third party plugin providers. The TRU Team predicted that, as part of this natural next phase, there would be an increase in instances of low-sophistication Magecart copycat attacks, similar to what was seen in the outbreaks of Cryptominers and Ransomware over the last couple of years.

In the opinion of TRU senior security researcher Corey Milligan, “This attack tool represents the first step in the commoditization of the Magecart-style attack, creating a new line of revenue for the original Magecart threat groups while simultaneously serving to saturate the threat landscape with attempts by low-level threat actors, and thus hiding the original threat actors’ own activities that security experts are now hot on the trail of.”

Milligan also noted that, “while this tool provides low-sophistication threat actors with a powerful capability, other pieces are required to utilize the sniffer effectively, as it does not identify vulnerable e-commerce targets using Magento, OpenCart or OsCommerce payment forms. It also does not provide a mechanism for penetrating identified targets, implant the script that will download and run the sniffer in a browser, or provide a secure, non-attributable server to collect the harvested credit card data.”

In the hands of a low-level threat actor, the TRU team believes this tool will mostly likely be plugged into a process that involves the automated scanning for and the indiscriminate attacking of vulnerable e-commerce sites, even ones that don’t have the applicable payment form. “We expect to see a mass of “Hail Mary” attacks, with the cybercriminals intent on hitting as many sites as possible, hoping that some of them will succeed and be fruitful,” said Milligan. “As the adage goes, they only have to be right once, and in this case, being right once could result in a haul of credit card data that is profitable and easy to sell on the Dark Web.”
How E-Commerce Retailers Can Protect Themselves and their Customers from Magecart-Style Attacks?

While these recommendations are ranked, Good, Better, Best, it is recommended that, where possible, these techniques are used in combination with each other to provide a layered defense.

Good
– Keep your payment page simple. Loading third-party scripts along with your payment processing page increases your risk of third-party compromise. Many third-party content providers are not focused on security. Threat actors are known to choose the softer target ,and they will not hesitate to circumvent your security by compromising a third-party you are trusting on your payment processing page.

Better
– Audit public facing web content regularly to identify unauthorized changes.
– Use subresource integrity for embedded scripts. On its own, it won’t protect you from all forms of third-party code injection attacks, but as a practice it raises your level of security and makes you a harder target.
– As a backup measure and a step to mitigate similar attacks, a content security policy (CSP) header can be employed. This additional header for web content tells the browser, that is accessing your site, where resources are authorized to be downloaded from. While this won’t stop the download of scripts from compromised, trusted third-parties, it does help mitigate other HTML injection attacks where the content source has been changed to an untrusted download source.

Best
– Outsource your payment processing to a third-party payment processor. While this involves trusting a third-party, all third-parties are not equal. Of course, do your homework before selecting one, but, in general, payment processors that perform this service have well implemented security practices. While there will be additional costs involved with using an external payment processor, it can also relieve you of many stringent PCI requirements that have costs of their own to maintain.

It is worth noting that the seller of the credit card sniffer code, referenced previously, specifically stated in their offering that the tool would not be effective against sites that utilize third- party payment forms, as the entering of payment information and payment processing does not actually take place on the infected e-commerce site.

After-the-fact
If you have been affected by one of these type attacks, and the third-party code supplier has taken steps to clean it up, you may still be vulnerable if you are using a Content Delivery Network (CDN) that caches content to improve performance. If this is the case, be sure to flush cached pages as one of the final steps to cleanup.

How Online Shoppers Can Protect Themselves from a Magecart Attack
As an online shopper, to protect your payment card details safe from a Magecart attack, disable JavaScript inside your browser before making a payment. Since the card skimming code is written in JavaScript, this will prevent a standard Magecart attack. (NOTE: disabling JavaScript in your browser may also cause webpages not to function. In the case that you need to leave JavaScript enabled, we recommend using prepaid cards for online purchases).

While most banks offer services to help you recover from fraud, it can take time. In the case of a debit card, the time it takes to recover stolen funds that may be needed to pay a bill is too big of a risk to take. Using a credit card reduces this risk, but an even better solution is to use a prepaid card. Prepaid cards are easy to obtain, even for those with no credit history, and they limit the amount that can be stolen via fraud to the amount of money you put on the card. Prepaid cards may not be the most convenient or cost-effective solution, but they can help keep your credit and bank account information out of the hands of criminals.

History of Magecart Attacks
As far back as 2015, intelligence organizations and security researchers, such as RiskIQ and Willem DeGroot, have been tracking and reporting about a growing trend and associated techniques for what is now being termed online credit card skimming. Magecart draws its name from its original Tactics Techniques and Procedures (TTP) discovery in which Magento content management system (CMS) instances, with shopping cart functionality, were being scanned for, targeted and attacked. Thus, you have ‘Mage’nto shopping ‘cart’, or Magecart. In this initial TTP, a vulnerability in a Magento site was leveraged to modify the source code of the site, injecting what looked like a legitimate download of a JavaScript library. In actuality, when a browser would connect to the site, it would automatically download this JavaScript file, as is common, and run it in the browser. The malware would identify the shopping cart functionality and modify it so that a copy of any credit card information that was submitted would be sent to a server owned by the threat actor.

Although the Magecart name continues to be used, online card skimming attacks have evolved beyond targeting only Magento sites. At least six separate groups have been identified to be using a similar TTP of modifying e-commerce sites with malicious JavaScript files. The unique qualities that allow these threat actors to be singled out include variances in sophistication and target selection with the most high-profile breaches being those that have leveraged the software supply chain (Inbenta, Feedify and Shopper Approved) and those that have targeted specific high-traffic sites (British Airways and Newegg).

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

THREATCONNECT: 2019 Cybersecurity Predictions.

Next Post

Cylance Narrows The Cybersecurity Skills Gap With Virtual CISO.

Recent News

Cato Networks delivers first CASB for instant visibility and control of cloud application data risk

Cato SASE Cloud Named “Leader” and “Outperformer” in GigaOm Radar Report for SD-WAN

February 7, 2023
AT&T Cybersecurity grows SASE offering by adding Palo Alto Networks

UK second most targeted nation behind America for Ransomware

February 7, 2023
safe

Will Emphasising App Security Lead to More App Installs?

February 6, 2023
Phone with app store open

$400,000 Fine for Stalkerware App Developer

February 6, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information