Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Payment Data. Show all posts

On E-Commerce Servers, New Malware Masquerades as the Nginx Process

 

Remote access malware is being used to attack eCommerce servers, and it hides on Nginx servers in such a way that security solutions can't detect it. NginRAT is a combination of the application it targets and the remote access capabilities it delivers, and it is being used in server-side attacks to steal payment card data from online stores. 

NginRAT was discovered on eCommerce servers in North America and Europe infected with CronRAT, a remote access trojan (RAT) that hides payloads in activities scheduled to run on an invalid calendar day. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. 

CronRAT relies on this to maintain its anonymity. According to research released by Dutch cyber-security firm Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. Multiple levels of compression and Base64 encoding are used to conceal the payloads. The code has been cleaned up and now contains self-destruction, time modulation, and a custom protocol for communicating with a remote server. 

NginRAT has infected servers in the United States, Germany, and France, injecting into Nginx processes that are undetectable, allowing it to remain unnoticed. The new malware, according to researchers at Sansec, is delivered CronRAT, despite the fact that both perform the same function: granting remote access to the attacked system. 

While the two RATs use quite different approaches to preserve their secrecy, Willem de Groot, director of threat research at Sansec, told BleepingComputer that they appear to have the same role, operating as a backup for preserving remote access. After developing a custom CronRAT and analyzing the interactions with the command and control server (C2) in China, Sansec was able to investigate NginRAT. As part of the typical malicious interaction, the researchers duped the C2 into transmitting and executing a rogue shared library payload, masking the NginRAT "more advanced piece of malware."

“NginRAT essentially hijacks a host Nginx application to stay undetected. To do that, NginRAT modifies core functionality of the Linux host system. When the legitimate Nginx web server uses such functionality (eg dlopen), NginRAT intercepts it to inject itself", reads the analysis published by the experts. The remote access malware is embedded in the Nginx process in such a way that it is practically impossible to distinguish from a valid process at the end of the process.

Researchers Have Issued a Warning About Phishing Scams That Imitate Netflix

 

The tremendous shift of movie and television audiences to streaming services over the last year has offered scammers a golden opportunity to conduct phishing attacks in order to trick future customers into handing over their payment information. Cybercriminals will always follow payment data, according to Kaspersky's Leonid Grustniy, who warned of phishing attempts disguised as Netflix, Amazon Prime, and other streaming service offers. 

Depending on their current streaming subscription status, Kaspersky's researchers detected several lures aimed at targets. Fake sign-up pages for services like Netflix were used to obtain victims' email addresses and credit card information. “Armed with your info, they can withdraw or spend your money right away; your email address should come in handy for future attacks,” Grustniy wrote. 

Fans who did not have subscriptions were lured in by cybercriminals who offered them the chance to view popular series on a bogus website. They usually display a short clip as a teaser, which they try to pass off as a fresh, previously unaired episode. It's usually taken from trailers that have been in the public domain for a long time. Victims who are interested are then prompted to purchase a low-cost subscription in order to continue viewing. What happens next is a standard scenario: any payment information entered by users is sent directly to the fraudsters, and the never-before-seen episode continues. 

Account credentials for streaming services are also popular among cybercriminals, who are interested in more than just bank account information. Because hijacked accounts with paid subscriptions are sold on the dark web. 

Scammers are increasingly using the extensive cultural influence of video streaming platforms as a weapon. For example, the worldwide enthusiasm in Netflix's Squid Game has recently been used to scam crypto investors out of more than $3.3 million. Check Point Research identified a fraudulent Netflix application in the Google Play store last spring, which spread via WhatsApp chats.

Users should avoid clicking on any emails that appear to be affiliated with streaming services and be aware of obvious signals that it's a scam, such as misspellings in messages when payment information is requested. “Do not trust any person or site promising viewings of movies or shows before the official premiere,” Grustniy added.

Amazon-owned Twitch Says Source Code Disclosed in Data Breach

 

Twitch, which is owned by Amazon.com Inc (AMZN.O), announced on Friday that last week's data breach at the live streaming e-sports platform includes documents from its source code. 

The streaming platform said in a statement that the users' passwords, login credentials, complete credit card numbers, or bank data were not accessed or disclosed in the breach. The platform, which is used by video gamers to communicate with users while live streaming content, attributed the breach to an issue in server configuration modification. 

During server maintenance, modifications to the server's configuration are made. A flawed configuration can allow unauthorized access to the data stored on the servers. 

Twitch said it was "confident" the incident affected only a small number of users and that it was contacting those who had been directly impacted. The platform has more than 30 million average daily visitors. 

Video Games Chronicle had reported that about 125 gigabytes of data was leaked in the breach.  Data includes details on Twitch's highest-paid video game streamers since 2019 such as a $9.6 million payout to the voice actors of the popular game "Dungeons & Dragons" and $8.4 million to Canadian streamer xQcOW. 

About the breach

On October 6, Twitch confirmed that it has suffered a major data breach and that a hacker accessed the company’s servers due to a misconfiguration change. 

A Twitch spokesperson stated on Twitter, “We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available.” 

The leaked Twitch data reportedly includes: 
  • The entirety of Twitch’s source code with commit history “going back to its early beginnings” 
  • Creator payout reports from 2019 
  • Mobile, desktop, and console Twitch clients 
  • Proprietary SDKs and internal AWS services used by Twitch 
  • “Every other property that Twitch owns” including IGDB and CurseForge 
  • An unreleased Steam competitor, codenamed Vapor, from Amazon Game Studios 
  • Twitch internal ‘red teaming’ tools (designed to improve security by having staff pretend to be hackers) 
It is advised that Twitch users use two-factor authentication, which implies that even if the password is hacked, the user will still need to use the phone to confirm the identity via SMS or an authenticator app.