Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Web Skimming. Show all posts

Target Reveals Its Personal Skimming Detection Tool


Web skimming is a major problem for e-commerce shops and websites over the past few years. The attacks include simple script injections into payment platforms and breaches of genuine third-party services and scripts. Often referred to as Magecart attacks, these have become one of the leading reasons for card-not-present (CNP) fraud and affect small and big brands in the same manner, and also impact e-commerce platforms. Top e-commerce retailers, Target went in solutions a few years back to deal with this problem and keep their customers safe when shopping on the Target website.
 
As there were not many ready-to-detect tools for these attacks back then, two computer security experts thought about making one. After going live and in use for more than three years, Target.com company's client-side scanner has now been issued as an open-source project named Merry Maker. Merry Maker constantly affects online surfing and executes test transactions to scan for any harmful code. 

Merry Maker works as a guest on Target.com by executing various general tasks that include online purchases. In this process, the tool stores and analyzes various types of information which includes network requests, browser activity, and JavaScript files to check for any suspicious activity. 

About Card Skimming 

Card skimming is an attack where a harmful device is deployed at the point of authorized transaction to steal financial credentials. In the real world, skimming devices are attached to the card slots of ATMs or gas pump payment platforms to store data encrypted on the card's magnetic stripe. These generally come with a PIN pad or small cameras that plans to steal PINs types by users. 

These chip-based cards use encryption along with other transaction authentication and verification features are meant to challenge such types of card attacks. "Web skimming groups use sophisticated techniques to make their keylogging code hard to detect. The code can be heavily obfuscated and added to existing JavaScript files or even stored in other types of resources such as CSS or even embedded into images or it can be hosted on third-party domains," writes CSO.

Magecart Groups Exploit 300+ Sites via Trojanized Google Tag Manager Containers

 

Gemini security researchers have unearthed more than 300 e-commerce stores exploited via trojanized Google Tag Manager (GTM) containers as part of an ongoing Magecart campaign which began in March this year. 

Threat actors exploited a genuine feature of the Google Tag Manager service and secretly placed malicious JavaScript code called ‘web skimmer’ known for siphoning bank details of online shoppers. The stolen data was later offered for sale on the dark web, Gemini analysts, explained.

How Google Tag Manager was exploited? 

Threat actors abused Google Tag Manager, a tool that helps online retailers to understand customer behavior and dynamically update tracking and analytics code on their sites. More specifically, the attacks abused GTM containers, a feature that can be used to package and ship entire blocks of JavaScript code. 

The hackers targeted e-commerce in a sophisticated manner by designing their own GTM container, hacking into e-commerce stores, and secretly deploying the malicious code without the owners’ knowledge. 

The malicious code remained undetected for months because web security tools and even website owners examining their own code would have had a hard time detecting the malicious GTM container from their own GTM tags. In total, this malicious campaign hit 316 online stores and nearly 88,000 customers, who had their data sold online, Gemini Advisory said. 

After analyzing the malicious campaign, Gemini analysts believe the attacks were performed by two different hacking groups. The first group embeds the entire malicious e-skimmer script in the container and another one places a loader inside the container that operates on the compromised site and loaded the web skimmer through an intermediary step. 

“Although the two GTM container variants involve similar tactics—storing e-skimmers within GTM containers or housing scripts in GTM containers that load e-skimmers from dual-use domains—analysis of the two variants suggest that two different Magecart groups are responsible for each variant,” the Gemini Advisory team explained in a blog post. 

The first group performed two-thirds of all the hacks and started operations in March, while the second group began its operations in May. Both targeted e-commerce stores running on different platforms, including Magento, WordPress, Shopify, and BigCommerce. 

Smaller e-commerce shops were the most common target since they often lack the resources or interest to design robust security systems, and only one had enough traffic to be listed in the Alexa Top 50,000, researchers said.

Gemini’s research was published after security firm RiskIQ revealed details regarding another web skimming attack targeting WordPress sites running the WooCommerce plugin. Additionally, security firm Sansec has published findings regarding multiple web skimming operations, highlighting a trend where hackers are upgrading themselves by moving away from web-based compromises to designing their own malware that they deploy into compromised sites at the server level.

Online Credit Card Skimming on a Continual Rise – Here's How to Prevent it


Credit card skimming has already been on a rise prior to the pandemic and the trend is most likely to develop in the near future as online shopping has seen a dramatic jump due to the confinement measures imposed in various nations – giving cybercriminals more opportunities to bank upon than ever.

Popularly known as, 'Magecart' moniker, web skimming is the practice of compromising online stores and stealing payment card data in the process. In March, web skimming soared by 26%, as per the data by MalwarebytesLABS.

Credit card skimming is a form of credit card theft where crooks steal victims' credit card credentials and other sensitive information through a skimmer which is a small device constructed to steal information stored on credit cards when victims carry out transactions at ATMs. Lately, the terminology has been expanded to include malicious code that targets payment card data filled on e-commerce websites while making purchases. By either means–hardware or software, skimming attempts to achieve the same goal of performing fraudulent transactions by using the stolen data.

As various nations upgraded their cybersecurity by moving to chip-enabled cards, crooks have also continually adopted new and sophisticated methods to avoid detection. Certain skimming devices are designed to fit into the card reading slot – known as "deep-insert." They are intended to read data from the chips on chip-enabled cards.

Consumers are advised to stay extra cautious as there is not just a single way to fall in the trap of skimming, security experts recommend looking for signs of tampering like chunks of metal or plastic that seem off in dispositions, strange holes, or constituents, not in alignment with the rest of the ATM.

To prevent online skimming, there is not much one can do directly as they can't control the affected software. However, consumers can constantly monitor their card statements to look out for unauthorized transactions. They can use virtual card numbers to make online purchases if the bank offers of can also pay with smartphones; services such as Google Pay and Apple Pay that uses tokenization, replacing the real number with a virtual one, assures a great deal of security for real number by not exposing it. Another way to ensure safety is by making use of an alternative e-wallet service like PayPal.

Recent skimming attacks include a data breach disclosed by Warner Music Group, The American Payroll association's report wherein cybercriminals installed skimming malware on the login page of their website as well as the checkout section by exploiting a vulnerability in the company's CMS. Magecart skimmers also employ Telegram as a means for sending stolen credentials back to its C2 servers.

Hackers Attack Online Stores Stealing Credit Card Data, Experts Allege North Korea


According to the recent findings, there has been an incident of web skimming attacks on the European and American online store websites. The hackers responsible for the attacks are likely to be state-sponsored from North Korea. Research conducted by cybersecurity experts at Sansec reveals that the web skimming attacks that broke into the online retail stores started in May 2019. APT Lazarus and Hidden Cobra hacking groups were responsible for the attacks, planting payment skimmers to breach the security.



According to the new research, the hackers have now increased their activities. They have now set a larger target area and attack online stores using a skimming script, which steals the customer's banking credentials during the checkout stage. The researchers from Sansec claim that the attacks were carried out by Hidden Cobra because a similar hacking pattern was used in their previous attacks.

What is Magecart Attack? 
It is a web skimming attack in which hackers can steal banking credentials from the user and credit card details. However, in this incident, Hidden Cobra, after gaining access, launched a large scale attack on big online retail stores. Once hackers have unauthorized access, they deploy fake scripts on the websites' checkout pages. The skimmer then stores all the credentials that the user types during the checkout stage and sends it to the main Hidden Cobra servers. According to Sances data, in millions of online stores, up to 100 stores' websites are compromised on an average every day.

"To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites that were hijacked and repurposed to serve as disguises for criminal activity. The system is also used to funnel the stolen assets so that they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, including a modeling agency8 from Milan, a vintage music store9 from Tehran, and a family-run book store10 from New Jersey," says the Sansec report. Experts have now linked various attacks since 2019 to Hidden Cobra, say that the threat actors are very likely to be state-sponsored.

Hackers use the Fake Image Hosting Website as a Decoy to Launch E-Skimming Attacks


In what is said to be one of the most creative hacking technique to date, a group of hackers made a fake image hosting website to use it as a disguise for their web skimming operations. The aim is to deploy harmful codes that will steal payment card credentials from users via infected websites. The cybersecurity experts refer to this technique as e-skimming, web skimming, or Magecart attack. In this operation, the hackers attack a website, insert malicious codes in the webpages.


The malicious codes are responsible for stealing payment credentials when the users enter the details during the checkout form. The skimming attacks have been on the rise for the last four years. The cybersecurity experts have advanced in identifying the web skimming attacks, but so have been the hackers, as they are coming up with more sophisticated techniques.

Hackers used a fake image hosting website

According to a report published by Malwarebytes, a US-based cybersecurity firm, the experts have discovered a new group of hackers that have taken this technique to a whole different level. The group, according to Malwarebytes, was found while the experts were investigating a range of unfamiliar cyberattacks. In the investigation, the hackers noticed that only the Favicon was modified on the website, which is the logo icon displayed on browser tabs. "This latest case started with an image file displayed on the browser's tab often used for branding or identifying a website, also known as a favicon. While reviewing our crawler logs, we noticed requests to a domain called myicons[.]net hosting various icons and, in particular, favicons. Several e-commerce sites were loading a Magento favicon from this domain," says the report of Malwarebytes.

The hackers responsible behind this attack surely went some extra miles, as the codes were sophistically hidden. But, web skimming attacks, sooner or later, are bound to be found. "Given the decoy icons domain registration date, this particular scheme is about a week old but is part of a more significant number of ongoing skimming attacks. The goal remains to deceive online shoppers while staying under the radar from website administrators and security scanners," says Malwarebytes.

E-Commerce Attacks Didn't Increase During Coronavirus Quarantine


Due to the COVID-19 pandemic, people across the globe to stay at home. The quarantine has increased online shopping figures. Even though a majority of the people are shopping online for everything, from food to groceries to daily essentials, the web skimming attacks didn't increase and are supposedly expected not to in the near time, due to it, say cybersecurity experts. Web skimming or Magekart attacks or e-skimming is a kind of cyberattack where the attacker inserts malicious codes in the online stores' website. When the users make any payment in the checkout process while entering the data, the hackers steal their credit card credentials.


Web skimming attacks were famous amid the hackers during 2017-18 and had been rising since then. Various cybersecurity experts and agencies, when asked about 'the impact of large scale online shopping on the web skimming incidents,' they all agree that web skimming attacks will not rise just because more people are shopping now, spending most of their time online, while staying at home. It is because, for a very long time, hackers have tried to breach prominent e-commerce websites but have failed to do so, while the web skimming incidents have remained constant through the years.

According to these cybersecurity experts, there's only one condition under which web skimming attacks can increase, and that is only when the number of online stores will increase can the hackers look for new sites to attack. Unless that happens, the rate of web skimming attacks will remain the same. According to the statistical analyses by Sanguine Security, the data shows that web skimming attacks have slightly fallen during the COVID-19 pandemic. However, not every cybersecurity agency agrees with this data.

But according to Jerome Segura, who is a web analyst at Malwarebytes, the web skimming attacks on online stores have not increased, therefore it confirms with Sanguine Security's data. It may be because the number of online stores increased before 2-3 months, but nobody observed these attacks during that time. Another reason might be that buyers prefer shopping from popular e-commerce websites, which are hard to breach through for hackers.