fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Credit Card Stealing Malware Bundles Backdoor For Easy Reinstall

Credit Card Stealing Malware Bundles Backdoor For Easy Reinstall

Image: Justin Lim

An almost impossible to remove malware set to automatically activate on Black Friday was deployed on multiple Magento-powered online stores by threat actors according to researchers at Dutch cyber-security company Sansec.

Threat actors behind these web skimming attacks (also known as Magecart) targeted and infiltrated online stores powered by Magento 2.2.3 up to 2.2.7 beginning with April 2020.

The attackers exploited multiple security vulnerabilities impacting these older and deprecated Magento 2.x versions to inject backdoors and inject credit card stealer scripts that allowed them to harvest the store customers’ payment card data.

Credit card skimmers are JavaScript-based scripts injected by Magecart cybercrime groups on compromised e-commerce sites’ pages to exfiltrate payment and personal info submitted by customers to servers under their control.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

Credit card skimmer mimicked payment flow

“Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday,” Sansec said.

“The flaw’s presence would ensure future access for the attackers, even if their primary operation was blown.”

The threat actors used a complex web skimming infrastructure that employed both backend and frontend malware, as well as several safeguarding techniques that made it possible to avoid removal from the compromised stores even after the attack was detected.

The skimming script showed custom-tailored fake payment forms to the compromised shops’ interface, in some cases, and it sent the collected payment info to /checkout.

This tactic was used to mimic what looks like a normal payment transaction flow to make it harder for the e-commerce sites’ security monitoring systems to spot any malicious activity.

Magecarty skimmer script
Magecart skimmer script (Sansec)

Hidden backdoor provides access after detection

They would reinfect the e-commerce sites after their “hybrid skimming architecture” was removed by re-infiltrating the server and re-deploying the malware within a few days after the store’s clean up.

As part of this highly persistent and almost impossible to get fully block web skimming attacks, the attackers would deploy the following malicious components on each compromised online store:

  • a backdoor used for deploying additional malicious payloads
  • a backdoor watchdog running as a hidden system process that would help restore the backdoor if removed by the site admin/owner
  • a CORS-defeating hybrid payment Magecart skimmer script with backend and frontend components for stealthily stealing customer info
  • an admin password logger used for harvesting credentials

To top it all off, the admin password logger would continue collecting and exfiltrating admin credentials to the Magecart operators even after they completely lost access to the e-commerce site’s servers and couldn’t reinfect it with credit card stealing malware.

Admin password logger
Admin password logger (Sansec)

Detailed information on each of the malware components used in these web skimming attacks is available in Sansec’s report.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Sansec researchers also discovered a web skimming malware capable of hiding in plain sight as SVG social media buttons mimicking high profile platforms like Facebook, Twitter, and Instagram.

That credit card stealer’s double payload structure included the source code of the skimmer script hidden in the social sharing icons and a separate decoder deployed separately on the e-commerce site’s server used to extract and execute the skimmer script.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us