fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Top Sites Infiltrated With Credit Card Skimmers And Crypto Miners

Top Sites Infiltrated With Credit Card Skimmers And Crypto Miners

An investigation into the top 10,000 Alexa sites reveals that many of these popular were infected with cryptocurrency miners and credit card skimming scripts.

Alexa is an online service that scores websites and ranks them based on their popularity, traffic earned, and various other factors.

In a shocking revelation made by Palo Alto Networks, some of these top sites that receive the highest amounts of internet traffic had ongoing malicious activity resulting from crypto miners and credit card stealing skimmers.

The impacted domains compiled by Palo Alto Networks include:

Affected DomainAffected TypeAttack TypeAlexa Rank (as of June 15, 2020)Site Type
libero[.]itMalicious External LinkMalicious Coinminer607The number one website in Italy offers various types of content and services: webmail, search engine, news, and more.
pojoksatu[.]idCompromised SiteMalicious Coinminer1494A news website in Indonesia.
www[.]heureka[.]czMalicious External LinkWeb Skimmer5204The largest e-commerce platform in Central and Eastern European markets.
zoombangla[.]comCompromised SiteMalicious Coinminer6579A news website in Bangladesh.

Cryptocurrency miners hidden in JavaScript files

Coinhive was a legitimate service that provided JavaScript-based Monero miners that were capable of running in a web browser.

This would mean right from a web browser, the mining script could control the CPU usage and the number of threads it spawned for the purpose. 

Unsurprisingly, due to its rampant abuse by malicious actors, the service was shut down.

“There are two websites still serving Coinhive’s miner script. One is coinhive.min.js and the other is JSEcoin,” stated multiple Palo Alto researchers in a blog.

A screenshot shows the source of a compromised website, zoombangla.com, running the coin miner script:

Zoombangla.com compromised website running Coinhive mining scripts
Source: Unit42/Palo Alto Networks

Also Read: 5 Ways On How To Destroy Documents Securely To Prevent Data Breach

For a user to be impacted they’d have to visit a website that was already infected with a crypto miner. However, the noteworthy fact remains that even top Alexa websites with stellar brand reputation can be victims of a compromise.

Visiting a website infected with such a script would immediately spike the user’s CPU usage levels.

Dangerous links injected in ads

Should a malicious JavaScript file make its way into your website, it can wreak havoc for your brand, your website’s security, and your customers.

Researchers at Palo Alto Networks observed instances of several ads on a legitimate used car website libero.it had been tampered with to include links that redirected the users elsewhere.

Compromised libero.it site would show ad links that redirected users to malicious destinations
Source: Unit42/Palo Alto Networks

“Attackers inserted malicious links into car advertisements, which redirected visitors interested in the vehicle to a malicious site that injected them with the JSEcoin coin mining script,” explained the blog post.

While the scripts would still run, the malicious actors are no longer able to receive mined coins after JSEcoin‘s shutdown this April.

A screenshot below shows just how many of these nefarious external links were placed on just a single page, of a compromised website:

Source code of the page with malicious outlinks

Webskimming Magecart attacks

Online credit card skimming attacks, also referred to as Magecart attacks, steal the user’s payment information entered within the web browser.

This typically happens when the web page collecting the payment information can be intercepted by the attacker, because of a malicious script running alongside the page in the background.

The researchers noticed the online shopping website heureka.cz which sells various products itself had links in the source code that loads obfuscated code skimming scripts.

Also Read: 8 Simple Ways To Improve Your Website Protection

heureka.cz website injected with malicious links

While the links in the source code below may appear to lead to destinations hosted on the heureka.cz domain itself, these actually redirect further to the malicious website, as shown below:

Disguised links leading to malicious destinations

This means the attackers could load inject scripts into the page while disguising these behind redirect pages hosted on the compromised domain itself.

When analyzed, the researchers reveal that the web skimming script would:

  1. Add event listener for [input, select, form, button, a, img].
  2. When a number string passes credit card validation checks, it sends the information out.
  3. Construct the collection server URL and parameters, then send the information out.

“Our research highlights that users need to exercise caution, even when visiting popular, apparently reputable websites. These are the same sites likely to generate the most income for attackers focused on malicious coinmining and web skimming,” state the researchers at Palo Alto Networks.

These findings come at a time when online shopping has surged among consumers by at least 33% given the COVID-19 pandemic and is expected to remain an indispensable commodity in the foreseeable future.

To protect themselves from attacks like these, users should safeguard their computers with up-to-date antivirus solutions, and be wary of the links they click on.

This can be achieved by paying attention “to the full URL of the site where they end up,” explains the blog post.

A complete list of Indicators of Compromise (IOCs) and remediation suggestions have also been provided by Palo Alto Networks in the same post.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us