Search This Blog

Powered by Blogger.

Blog Archive

Labels

About Me

Showing posts with label Google TAG. Show all posts

Cybercriminals Leverage Google Tag Manager for Credit Card Data Theft

 


It is common for cybersecurity criminals to exploit vulnerabilities in Magento to inject an obfuscated script, which has been delivered through Google Tag Manager (GTM), into Magento-based eCommerce platforms, which allows them to intercept and steal credit card information during the checkout process. Using a hidden PHP backdoor, unauthorized access can be enabled, and continuous data exfiltration can continue, allowing persistence to be maintained. 

A security researcher at Sucuri discovered that the credit card skimming malware was embedded in a database table called cms_block.content, which enables unauthorized access and continuous data exfiltration. Because the malware is designed to avoid detection, it appears legitimate, and as a result, security measures may have a difficult time identifying and containing the threat. As a result, experts advise website administrators to implement enhanced security protocols so that such threats can be identified and eliminated efficiently. 

An investigation conducted by Sucuri recently revealed the presence of sophisticated credit card skimming operations that targeted a Magento-based eCommerce platform. To carry out the attack successfully, Google Tag Manager (GTM) is being used to inject malicious JavaScript into the checkout process to facilitate the collection of payment information without the user's knowledge. Throughout the cms_block, the malware was embedded to accomplish its purpose. 

A database table containing content data, which allowed cybercriminals to intercept transactions discreetly, was analyzed further by Sucuri, which revealed that a hidden backdoor was hidden within the media directories, making it possible for the attacker to access the compromised system indefinitely. It is well known that there is a great deal of threats to retailers and hospitality organizations, particularly those that operate eCommerce platforms, which are being exploited by third parties to gather information about real-time credit cards and send it to a remote server controlled by criminals. 

Organizations in the retail and hospitality industries, particularly those utilizing eCommerce platforms, are at a much greater risk of being attacked with similar GTM-based attacks. This is because the use of stealthy, legitimate-looking scripts makes it difficult for store owners to detect and mitigate these threats. It has become clear that WordPress and Magento are now used very widely as platforms for online retail operations, and as such, this attack methodology is very effective, and it could potentially negatively impact a wide range of businesses across the industry as a whole. 

If these vulnerabilities are not addressed promptly, significant financial losses may occur, fraud chargebacks may be made, and the cardholder may not be in compliance with the Payment Card Industry Data Security Standard (PCI DSS) regulations, in addition to the potential financial losses. The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) has released a report containing intelligence that will help organizations enhance their threat detection and response capabilities by integrating the information from this report into their cybersecurity strategies.

In the attack, people see an unconventional Magecart operation utilizing Google Tag Manager (GTM), a legitimate and free tool from Google that allows website owners to easily manage and deploy marketing tags on their websites without having to modify the code directly. To facilitate this process, GTM eliminates the need for developer intervention whenever marketers wish to track and adjust their advertising or marketing campaigns, as well as to track the effectiveness of their advertisements. 

As a result of a customer reporting unauthorized access to their credit card payment data on their eCommerce platform, Sucuri's security researchers discovered Magecart's activity for the first time. It was discovered by researchers that malware was being loaded from the cms_block after investigations were carried out. The malware exploited a modified GTM tag that contained a JavaScript payload embedded in it, effectively acting as a credit card skimmer by encoding the payload. The attackers used a method of obfuscating index values by using the function _0x5cdc, which maps specific characters within an array to specific index values in an array to avoid detection. 

There is no doubt that this method results in a huge amount of complexity and makes it much more challenging to determine the script's true purpose and prevent such sophisticated attacks from happening in the future. Taking proactive measures in detecting and mitigating threats is an important aspect of ensuring our systems' security, say cybersecurity experts. An investigation by Sucuri found that the attackers used an obfuscated backdoor disguised as a Google Tag Manager (GTM) and Google Analytics script to gain unauthorised access to the data being collected for web analytics and advertising purposes.

It has been reported that Puja Srivastava, a Sucuri researcher, found a script that could be executed from a Magento database table, allowing credit card information to be exfiltrated when executed from that database table. Scripts are used to gather information from users during the checkout process, and they are then sent to remote servers controlled by attackers, as they were designed to gather sensitive information from users. Earlier this month, Sucuri reported a series of security concerns related to WordPress plugins, which were exploited in a campaign targeting victims to redirect them to malicious websites, which were in turn used to compromise administrator accounts. 

Additionally, almost seven years ago, Google Tag Manager was identified as one of the tools used in the development of a malvertising campaign. However, in another case, According to the Department of Justice, Andrei Fagaras and Tamas Kolozsvari have been indicted for their alleged involvement in a payment card skimming operation. During these incidents, it was highlighted that the threat of cyber-attacks targeted at eCommerce platforms has not been contained and that enhanced security measures are needed to protect sensitive financial information. 

A group known as Magecart refers to a decentralized organization of cybercriminal organizations that conduct online payment card skimming attacks. These attacks typically involve injecting malicious code into websites to steal payment card information from customers, which is then monetized as needed. Such attacks have caused major damage to several organizations, including Ticketmaster, British Airways, and even the Green Bay Packers football team. After identifying the source of the infection on the client's website, the Sucuri team took immediate action to get rid of the malicious code immediately, eliminating any malicious code found in all compromised areas of the client's website. 

Aside from removing the malware from the system, they also removed obfuscated scripts and backdoors to prevent the malware from being reintroduced. Sucuri recommends that eCommerce platforms protect themselves against similar threats by logging into Google Tag Manager (GTM) and carefully reviewing all active tags, deleting any that appear suspicious from their list. Moreover, organizations need to conduct a comprehensive website security scan to detect and remove any remaining malicious code, backdoor files, as well as other files that could compromise their website, ensuring the integrity of the digital infrastructure of their organization.

ColdRiver APT: Google TAG Warns Against Russian APT Group is Using a Custom Backdoor


Google has warned that a Russia-linked threat actor named ‘COLDRIVER’ which is expanding its targets has also been developing custom malware. 

ColdRiver APT

The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage outfit that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.

The threat actor has previously engaged in ongoing phishing and credential theft efforts that resulted in intrusions and data theft. Although specialists have noticed efforts targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine, the APT predominantly targets NATO member states.

Google TAG researchers have warned against COLDRIVER, claiming that it is enhancing its tactics techniques and procedures (TTPs), in order to evade detection. 

TAG has recently seen COLDRIVER use phishing efforts to spread bespoke malware using PDFs as lure materials. Google experts discovered and stopped these attempts by adding all known domains and hashes to Safe Browsing blocklists.

In November 2022, TAG observed that COLDRIVER was sending its targets malicious PDF documents from their fraudulent accounts. Threat actors asked for the recipient's feedback on fresh opinion pieces or other kinds of publications that they were hoping to publish using the lure materials. The victims see an encrypted text when they view the PDF.

In case the targets fail to read the content, following which they contact the threat actors, they receive a link from the cyberspies to a decryption tool located on the threat actors' website. After downloading and running the tool, a backdoor—tracking as SPICA—is installed and a bogus document appears. 

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute,” reads TAG’s analysis. 

Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as: 

  • Executing arbitrary shell commands. 
  • Stealing cookies from Chrome, Firefox, Opera and Edge. 
  • Uploading and downloading files. 
  • Perusing the filesystem by listing the contents of it. 
  • Enumerating documents and exfiltrating them in an archive 
  • There is also a command called “telegram,” however the functionality of this command is unclear.

An obfuscated PowerShell command that generates a scheduled activity called CalendarChecker is how the infection stays persistent.

The Russian APT has reportedly been using SPICA since at least November 2022, while the researchers have only observed its use since early September 2023.

Google TAG Alerts on Rising Heliconia Exploit Framework for RCE

 

The Threat Analysis Group (TAG) at Google has discovered Heliconia, a cyberattack framework designed to exploit zero-day and n-day security flaws in Chrome, Firefox, and Microsoft Defender. It is likely linked to Variston IT, a gray-market spyware broker, demonstrating how this shadowy sector is thriving. The Heliconia threat is made up of three modules:
  • Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
  • Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
  • And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.
The threat was discovered after TAG received an anonymous submission to the Chrome bug reporting program. Further investigation revealed that the Heliconia framework's source code includes a script that refers to Variston IT, a Barcelona-based company that claims to provide "custom security solutions."

Commercial spyware is frequently sold by organizations claiming to be legitimate businesses for "law enforcement use." According to a TAG posting on Wednesday, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents.

Researchers noted that Variston IT is firmly in the middle of this rapidly expanding market, which has seen sanctioning by the US and others against organizations such as the infamous NSO Group, creators of the Pegasus spyware.

Hyperscraper: A New Tool that Iranian Hackers Use for Stealing E-mails


State Sponsored Threat 

Charming Kitten, a state-sponsored Iranian hacking group is using a new tool to download emails from targeted Yahoo, Microsoft Outlook, and Gmail accounts. 

The utility is called Hyperscraper and like many hackers' operations and tools, it is in no way sophisticated. But its lack of sophistication is balanced by effectiveness, letting the threat actors hack a target's e-mail inbox without leaving any traces of the intrusion. 

Simple but effective email scraper

In a recent technical report, experts from Google's TAG (Threat Analyst Group), shared information about Hyperscraper's capabilities and said that it is under active development. 

Google TAG links the tool to Charming Kitten, a threat group based in Iran that is also called APT35 and Phosphorus, and said the earliest samples were found from 2020. 

The researchers discovered Hyperscraper in December 2021 and analysed it using a Gmail test account. Hyperscraper isn't a hacking tool but an instrument that lets threat actors steal email data and store it on their devices after getting into the victim's email account. 

How does Hyperscraper work?

Getting the login credentials for the victim's inbox is done in an earlier stage of the attack, generally by stealing them. 

Hyperscraper has an embedded browser and fools the user agent to imitate an outdated web browser, it provides a basic HTML view of the Gmail account's details. 

Google TAG says that once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. 

Google TAG Experts' Analysis 

When the extraction is completed, Hyperscraper changes the language settings to English and moves through the contents of the email inbox, downloading messages individually as .eml files extension and marking them unread. 

Google TAG experts said earlier variants of Charming Kitten's utility could get data from 'Google Take-out,' a feature that lets users shift data from their Google account for making a backup or using it with a third-party service. 

While running, Hyperscraper works via the C2 (Command and Control) server, waiting for a 'go' sign to start the exfiltration process. 

How does threat actor use Hyperscraper?

The operator can change the tool with important parameters (identifier string, operation mode, path to valid cookie file) via command-line arguments or using a minimal user interface. 

If the path to the cookie file isn't given over the command line, the operator has the option to drag and drop it into a new form. After the cookie has been parsed successfully and embedded in the local cache of the web browser, 

Victims have been notified 

Hyperscraper makes a 'Download' folder where it throws the contents of the target inbox. The victims of Charming Kitten who were attacked with Hyperscraper have been informed about the government-backed attacks. 

"Users that received such a warning are encouraged to bolster their defenses against more sophisticated attackers by enrolling in Google’s Advanced Protection Program (AAP) and by activating the Enhanced Safe Browsing feature, both provided an added security layer to existing protection mechanisms," said Bleeping Computers.