Wednesday , July 28 2021

How to protect your data from Magecart and other e-commerce attacks – Malwarebytes Labs

In today's online shopping gold, consumers connect to the Internet, enter some credit card details and happily receive products at their fingertips, with the assurance that their online seller is well known, checked and then their website has to be safe, right? Do you realize that hackers can steal your credit card details only with a few lines of JavaScript?

The attacks on websites with the purpose of collecting data sent by the user are not new at all. Magento, the open source e-commerce platform, has been the target of such hacks for years.

Compromising websites also used as payment platforms, the collection of credit card numbers and other personal information (PII) on the fly is a surprisingly easy and profitable process.

In a sense, this is the digital equivalent of a credit card, a process for grabbing someone's credit card details on a physical ATM. In the same way criminals can tamper with ATM, so they can also do the payment page of a website.

In recent months there has been a steady increase in such attacks as a result of smaller websites and major companies. This blog post will look at some of the most recent events we have witnessed and will offer some mitigation techniques for a threat that intends to fly under the radar.

Third party compromises

Attackers can compromise a website using many different techniques, often exploiting vulnerabilities or weak passwords. When this is not possible, they often turn to a third-party library that the site relies on, which is perhaps not as secure.

An additional advantage of third-party compromises is the scalability of the attack. By relying on a single provider, you can influence an entire group of websites that depend on it.

The following malicious code was added to a legitimate and trusted script in an obfuscated format. This is the work of Magecart, the name given to a group of threat actors responsible for several high profile attacks recently.

After decoding the script, we can see the code responsible for collecting data when customers hit the checkout button. At the network level, it looks like a POST request where each field (name, address, credit card number, expiration date, CVV, etc.) is sent in Base64 format to the rogue server (info-stat[.]ws) controlled by criminals:

This type of attack occurs transparently both for the trader and for the customer. In contrast to violations involving leaked databases where information can be encrypted, web skimmers are able to collect data in clear and in real time.

British Airways case

Between August and September 2018, British Airways suffered a Magecart attack for 15 days, which was strongly targeted so as not to raise suspicions from site visitors or administrators.

A JavaScript library has been tampered with and mixed into the payment stream in a way that blends perfectly with the background. In fact, the script itself was loaded from the baggage claim information page and the attackers even paid an SSL certificate for the server to which they sent stolen data. They could have used a free certificate as many other scammers do, but they probably wanted to avoid the red flags and make everything as legitimate as possible. If they had not taken so many precautions, they might have been discovered much earlier.

In terms of stolen data, the attackers managed to claim both personal information and payment details. The attack was so complete that Magecart was even able to exchange data from users of mobile apps, due to parts of the site loading within the application itself and the hackers who were expecting to have some pieces of specific code for mobile devices ready and waiting.

The fact of having succeeded in launching such an attack, besides having such internal access to the British Airways site itself, is deeply alarming. Not only are the payment information made available to airlines on a daily basis, but also the passport details, dates of birth and other incredibly personal information. Fortunately, British Airways has confirmed that no travel data have been taken. But in terms of potential relapses, including the inevitable attempts at data loss and blackmail attempts, this attack above all others could be catastrophic.

Mitigating factors

There is no silver bullet in preventing web skimming attacks, but there are still measures that can be taken to mitigate the risks.

Merchants (server side)

Managing an e-commerce site involves some responsibilities, especially if payment information is managed through it. It is usually safer (and simpler) to outsource the management of financial transactions to larger, more trusted parties. PCI compliance and the risks associated with data collection can be overwhelming, especially for site owners who prefer to focus on the business side of things.

There are too many aspects of website security to include here on how to prevent your site from being hacked, so we will focus on a third-party compromise scenario.

The control of the integrity of third-party resources is an aspect of security that has been overlooked, but can provide great benefits when loading external content. The reality is that a website is usually not able to host all the content itself and makes more sense to rely on CDN and other suppliers for speed and cost reasons.

This relationship does not necessarily mean having to face the problems of third parties. While in this post we focused on credit card thieves, there are a number of other threats that can be spread via third-party libraries. For this reason, the implementation of safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help mitigate many problems.

Consumers (customer side)

One thing to keep in mind as consumers is that we are placing our trust in the online stores we are buying. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones. Of course, with cases like British Airways or Newegg, this advice shows its limits.

The use of browser plug-ins such as NoScript can prevent the loading of JavaScript from untrusted sites and thus reduce the attack surface. However, it presents the same defects when the malicious code is embedded in already reliable resources.

Magecart and other web skimmers can be mitigated at the exfiltration level, blocking connections to known domains and IPs used by attackers. However, it is not proof of everything, considering how trivial it is to register new properties. But the reuse of infrastructure is something we still see quite often.

We will continue to monitor these threats and add the relevant compromise indicators (IOCs) to our database to protect our Malwarebytes customers.

Source link

Leave a Reply

Your email address will not be published.