Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label E Commerce. Show all posts

E-commerce Breach: Hackers Target Magento, Steal Payment Data

 




In a concerning development for e-commerce security, hackers have been discovered exploiting a critical flaw in the popular Magento platform, leaving numerous online stores vulnerable to data breaches. The vulnerability, identified as CVE-2024-20720 with a severity score of 9.1, was acknowledged and addressed by Adobe in security updates released on February 13, 2024.

The exploit involves injecting a persistent backdoor into e-commerce websites, allowing threat actors to execute arbitrary commands and potentially steal sensitive payment data. Security experts from Sansec revealed that attackers are utilising a cleverly crafted layout template stored in the database to automatically insert malicious code into the system.

By combining the Magento layout parser with the beberlei/assert package, hackers can execute system commands, particularly targeting the checkout cart section of affected websites. This malicious code, facilitated by the 'sed' command, enables the installation of a payment skimmer, designed to capture and transmit financial information to compromised Magento stores under the attackers' control.

This incident underlines the urgency for e-commerce businesses to promptly apply security patches provided by Magento to mitigate the risk of exploitation. Failure to do so could leave them susceptible to financial losses and reputational damage.

The exploitation of vulnerabilities within the Magento platform has become an ongoing concern within the realm of e-commerce security. Since its acquisition by Adobe in 2018 for a significant $1.68 billion, Magento has grown to power more than 150,000 online stores worldwide. However, this widespread adoption has inadvertently made it an enticing target for cybercriminals seeking to exploit weaknesses in its infrastructure. One notable example of such exploitation is the MageCart attacks, which have highlighted the persistent threat posed by outdated and unsupported versions of Magento.

Given the prevalence of these vulnerabilities, it is pivotal for online merchants to prioritise cybersecurity measures to safeguard their customers' sensitive data and uphold trust within the e-commerce ecosystem. This necessitates a proactive approach that includes regular software updates, the implementation of robust security protocols, and continuous monitoring for any suspicious activities.

Industry stakeholders are urged to collaborate closely to enhance cybersecurity resilience and protect the integrity of online transactions. By staying informed and proactive, businesses can effectively combat cyber threats and uphold the security of their e-commerce operations.



India's DPDP Act: Industry's Compliance Challenges and Concerns

As India's Data Protection and Privacy Act (DPDP) transitions from proposal to legal mandate, the business community is grappling with the intricacies of compliance and its far-reaching implications. While the government maintains that companies have had a reasonable timeframe to align with the new regulations, industry insiders are voicing their apprehensions and advocating for extensions in implementation.

A new LiveMint report claims that the government claims businesses have been given a fair amount of time to adjust to the DPDP regulations. The actual situation, though, seems more nuanced. Industry insiders,emphasize the difficulties firms encounter in comprehending and complying with the complex mandate of the DPDP Act.

The Big Tech Alliance, as reported in Inc42, has proposed a 12 to 18-month extension for compliance, underscoring the intricacies involved in integrating DPDP guidelines into existing operations. The alliance contends that the complexity of data handling and the need for sophisticated infrastructure demand a more extended transition period.

An EY study, reveals that a majority of organizations express deep concerns about the impact of the data law. This highlights the need for clarity in the interpretation and application of DPDP regulations. 

In another development, the IT Minister announced that draft rules under the privacy law are nearly ready. This impending release signifies a pivotal moment in the DPDP journey, as it will provide a clearer roadmap for businesses to follow.

As the compliance deadline looms, it is evident that there is a pressing need for collaborative efforts between the government and the industry to ensure a smooth transition. This involves not only extending timelines but also providing comprehensive guidance and support to businesses navigating the intricacies of the DPDP Act.

Despite the government's claim that businesses have enough time to get ready for DPDP compliance, industry opinion suggests otherwise. The complexities of data privacy laws and the worries raised by significant groups highlight the difficulties that companies face. It is imperative that the government and industry work together to resolve these issues and enable a smooth transition to the DPDP compliance period.

Amazon Faces Lawsuit for Deceptive Prime Practices

Amazon, the e-commerce giant known for its convenience and customer-centric approach, is currently under fire as it faces allegations of tricking Prime customers. The company, which boasts millions of loyal subscribers to its Prime membership program, is now being sued by the US Federal Trade Commission (FTC) for deceptive practices.

According to the FTC, Amazon employed a misleading strategy to encourage customers to sign up for a more expensive Prime subscription when their intention was simply to stream videos. The lawsuit alleges that the company took advantage of its customers' desire for a seamless streaming experience and misled them into paying for a Prime membership without their explicit consent.

The complaint filed by the FTC reveals that Amazon's tactics involved a series of deceptive prompts and clickable links during the video streaming sign-up process. These prompts led customers to believe they were accessing the content they desired, only to be redirected to a page where they were prompted to join Prime at a cost of $119 per year.

The lawsuit further claims that Amazon failed to adequately inform customers about the subscription charges and the automatic renewal policy associated with the Prime membership. Many users were reportedly unaware that they were being charged for the service until they noticed unexpected charges on their credit card statements.

The FTC's legal action follows an investigation prompted by numerous consumer complaints regarding Amazon's billing practices. The regulatory body seeks to seek restitution for affected customers and to prohibit Amazon from engaging in similar deceptive practices in the future.

In response to the allegations, Amazon has defended its actions, stating that its practices were transparent and that customers were provided with clear information about the costs and benefits of Prime membership. The company believes that the FTC's claims are unfounded and intends to fight the lawsuit vigorously.

This lawsuit has significant implications for Amazon, as the Prime membership program is a cornerstone of the company's success. With Prime offering benefits such as free and expedited shipping, exclusive discounts, and access to a vast library of streaming content, it has attracted millions of subscribers worldwide. If found guilty, Amazon may face substantial financial penalties and be required to revise its practices to ensure greater transparency and customer consent.

The outcome of this legal battle will undoubtedly shape the future of Amazon's relationship with its Prime customers and may influence the broader e-commerce industry's approach to subscription-based services. In an era where consumer trust and transparency are paramount, companies must prioritize ethical practices and clear communication to foster long-term customer loyalty.

Magecart Groups Exploit 300+ Sites via Trojanized Google Tag Manager Containers

 

Gemini security researchers have unearthed more than 300 e-commerce stores exploited via trojanized Google Tag Manager (GTM) containers as part of an ongoing Magecart campaign which began in March this year. 

Threat actors exploited a genuine feature of the Google Tag Manager service and secretly placed malicious JavaScript code called ‘web skimmer’ known for siphoning bank details of online shoppers. The stolen data was later offered for sale on the dark web, Gemini analysts, explained.

How Google Tag Manager was exploited? 

Threat actors abused Google Tag Manager, a tool that helps online retailers to understand customer behavior and dynamically update tracking and analytics code on their sites. More specifically, the attacks abused GTM containers, a feature that can be used to package and ship entire blocks of JavaScript code. 

The hackers targeted e-commerce in a sophisticated manner by designing their own GTM container, hacking into e-commerce stores, and secretly deploying the malicious code without the owners’ knowledge. 

The malicious code remained undetected for months because web security tools and even website owners examining their own code would have had a hard time detecting the malicious GTM container from their own GTM tags. In total, this malicious campaign hit 316 online stores and nearly 88,000 customers, who had their data sold online, Gemini Advisory said. 

After analyzing the malicious campaign, Gemini analysts believe the attacks were performed by two different hacking groups. The first group embeds the entire malicious e-skimmer script in the container and another one places a loader inside the container that operates on the compromised site and loaded the web skimmer through an intermediary step. 

“Although the two GTM container variants involve similar tactics—storing e-skimmers within GTM containers or housing scripts in GTM containers that load e-skimmers from dual-use domains—analysis of the two variants suggest that two different Magecart groups are responsible for each variant,” the Gemini Advisory team explained in a blog post. 

The first group performed two-thirds of all the hacks and started operations in March, while the second group began its operations in May. Both targeted e-commerce stores running on different platforms, including Magento, WordPress, Shopify, and BigCommerce. 

Smaller e-commerce shops were the most common target since they often lack the resources or interest to design robust security systems, and only one had enough traffic to be listed in the Alexa Top 50,000, researchers said.

Gemini’s research was published after security firm RiskIQ revealed details regarding another web skimming attack targeting WordPress sites running the WooCommerce plugin. Additionally, security firm Sansec has published findings regarding multiple web skimming operations, highlighting a trend where hackers are upgrading themselves by moving away from web-based compromises to designing their own malware that they deploy into compromised sites at the server level.

On E-Commerce Servers, New Malware Masquerades as the Nginx Process

 

Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers in such a way that security solutions can't detect it. NginRAT is a combination of the application it targets and the remote access capabilities it delivers, and it is being used in server-side attacks to steal payment card data from online stores. 

NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that hides payloads in activities scheduled to run on an invalid calendar day. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. 

CronRAT relies on this to maintain its anonymity. According to research released by Dutch cyber-security firm Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains self-destruction, time modulation, and a custom protocol for communicating with a remote server. 

NginRAT has infected servers in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed. The new malware, according to researchers at Sansec, is delivered CronRAT, despite the fact that both perform the same function: granting remote access to the attacked system. 

While the two RATs use quite different approaches to preserve their secrecy, Willem de Groot, director of threat research at Sansec, told BleepingComputer that they appear to have the same role, operating as a backup for preserving remote access. After developing a custom CronRAT and analyzing the interactions with the command and control server (C2) in China, Sansec was able to investigate NginRAT. As part of the typical malicious interaction, the researchers duped the C2 into transmitting and executing a rogue shared library payload, masking the NginRAT "more advanced piece of malware."

“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself", reads the analysis published by the experts. The remote access malware is embedded in the Nginx process in such a way that it is practically impossible to distinguish from a valid process at the end of the process.

Carding Bots Now Pose a Threat to E-Commerce Platforms


In a discovery made by the PerimeterX research team, two new "carding" bots that represent a threat to e-commerce platforms have been detected towards the beginning of the busiest shopping time of the year.

Carding is a 'brute force attack' on a retailer's site utilizing stolen credit cards or gift vouchers. Threat actors utilize carding to mass-confirm a large number of stolen credit cards and produce a list of authentic credit cards.

The validated credit cards are then commonly sold on the black market for around $45 each and traded for untraceable gift vouchers that empower the cyber-criminals to veil their identity.

One of the new carding bots, named the canary bot, explicitly abuses top e-commerce platforms. The other bot, called the shortcut bot, sidesteps the e-commerce website altogether and rather abuses the card payment vendor APIs utilized by a site or mobile application.

Portraying an attack by the canary bot, researchers stated: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

The worldly canary bot recognized by PerimeterX researchers is frightfully great at aping human behavior. Researchers said that they had seen an 'increasing trend' in API endpoint abuse to approve credit cards on the web and on mobile applications.

They additionally saw an expansion in these new kinds of attacks over numerous unrelated customers demonstrating the speedy advancement of these attack tools.

All things considered, PerimeterX has advised e-commerce website proprietors to keep customers from getting to the payment page without items in their cart to stop fundamental carding attacks.