A newly discovered web skimming campaign running for the past year has already compromised over 40 e-commerce sites, according to researchers. The JavaScript protection vendor revealed that “Group X,” which exfiltrated card data to a server in Russia, used a novel supply-chain technique to compromise its victims. The cyber-criminals exploited a third-party software named Cockpit, a free web marketing and analytics service that was discontinued in December 2014. Cockpit is a JavaScript library typically used in User Interface, Frontend Framework applications. Cockpit has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. It can be downloaded from GitHub.[1]
Web skimming, also known as Magecart attacks, occurs when hacker groups use online skimming techniques for the purpose of stealing personal data from websites. The hackers mostly target credit card information on sites that accept online payment or personal customer information.
They acquired the domain name that hosted the library and used it to serve a skimming script via the same URL. By re-registering the defunct domain and configuring it to distribute malicious code, the attackers were able to compromise over 40 e-commerce websites. The vendor said it is not uncommon for web owners to fail to remove deprecated libraries like this from their sites, leading to dead links that can be compromised. The problem lies with a lack of insight into third-party code and poor security practices.
Most security teams do not have visibility into this third-party code running on their website; they do not know if it is behaving as it should or misbehaving, whether accidentally or maliciously. This security blind spot can create a false sense of confidence in your assessment of risk; it’s hard to measure what you cannot see.
However, the vendor also admitted that some of the compromised sites may have been impacted due to the content management system or website generator service they were using, which automatically injected the third-party script into their pages. In that scenario, they may have been unable to remove the library from their site due to restricted permissions or lack of knowledge.
One of the impacted sites posted a notice on their payment page warning users of the skimmer, rather than removing it. Investigators also found two other web skimming groups. One, named “Group Y,” used a similar skimmer to Group X but attacked websites directly with the aim of injecting a script into their homepage. The third, “Group Z,” apparently used a slightly modified script and server structure in its attacks.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.infosecurity-magazine.com/news/web-skimming-attacks-hit-dozens-of/
Comments