While ransomware and leaky or completely unprotected databases dominated headlines, e-skimmers quietly made a killing. A major e-skimming compromise was discovered on Macy's in which hackers captured the payment information of a number of online shoppers. The retailer was not alone. American Outdoor Brands, Puma, Ticketmaster UK, British Airways, Vision Direct, Newegg, and many, many others were also infected by e-skimmers.
The best way to avoid getting skinned by e-skimming is standard issue. Everyone needs to monitor their accounts, avoid using debit cards (because they are a direct money funnel), keep password long and strong, and generally practice good cyber hygiene. On the business side of things, it is crucial that software patches are applied as soon as they're released, and that employees are trained to recognize the signs of compromise.
As with many cyber threats, the best solutions are cultural. Merchants and customers need to get in the habit of putting security which includes constant vigilance first in all online activities.
But while this is all perfectly sound advice, it is not going to solve the e-skimming problem, which is that e-commerce sites are increasingly complex and because of that more difficult to defend. They have an ever-expanding attackable surface in an environment where reducing that surface is the watchword.
Visa’s Payment Fraud Disruption team reports that cybercriminals are increasingly using web shells to establish command and control over retailers' servers during payment card skimming attacks. "As a result, eSkimming, or digital skimming, is among the top threats to the payments ecosystem," according to the Visa report. The web shells enable fraudsters conducting digital skimming attacks on e-commerce sites to establish and maintain access to compromised servers, deploy additional malicious files and payloads, facilitate lateral movement within a victim's network and remotely execute commands, Visa says.
The most common methods for deploying a web shell are malicious application plug-ins and PHP code, Visa reports. Visa reached its conclusions after studying 45 digital skimming attacks in 2020. In February, Microsoft reported spotting 140,000 web shells per month on servers from August 2020 to January 2021, which it said is almost twice the number from the same period the year before. These web shells, however, were not being used for retail attacks.
Visa notes attacks skimming payment card data from online checkout functions of e-commerce sites have become more prevalent during the COVID-19 pandemic as consumers have shifted to online shopping.
Visa offered several examples of ways attackers gain initial entry and then deploy a web shell on an ecommerce site. For example, in one case, a merchant's administrative database credentials were stored in clear text and hard-coded into database-related PHP files. So the attackers were able to gain relatively easy access to the credentials necessary to deploy the web shells and gain root access to the database and web servers, Visa says.
In another case, the attackers obtained the administrative credentials to a company's "jump box," a secure computer that administrators use to gain entry to their network. This enabled the attackers to enter the e-commerce system and implant the web shell. Using plug-ins that integrate into a merchant's commerce platform is another common method that attackers launching skimming attacks use, the report notes.
"In one incident, actors modified the code of a legitimate file related to a plug-in for the content management system that was used to build the merchant's website," Visa reports. "The modifications injected malicious code into this plug-in that provided the actors with administrative privileges to the e-commerce environment."
In another case, the attackers exploited a vulnerability in a plug-in integrated into the merchant's website via a third-party service provider, the report notes. Visa's investigation also determined that many retailers' e-commerce sites were running Adobe's Magento V.1, which reached end-of-life status in mid-2020 and is no longer being supported.
Attackers keep track of end-of-life announcements because outdated software can be an easy target. For example, in September 2020, Sanguine Security tracked in a one-week period JavaScript skimming code being injected into more than 2,000 e-commerce sites that were running an older version of Adobe's Magento software.
Visa offered a list of security recommendations to help thwart skimming attacks and other threats. Those include:
- Enforce effective identity access management practices and ensure administrative panels and other privileged access methods are properly secured and not publicly accessible.
- Ensure familiarity and vigilance with code integrated into e-commerce environments via service providers by reviewing and validating the code and updates, and closely vet content delivery networks and other third-party resources.
- Regularly ensure that online shopping carts, other services and all e-commerce software are upgraded or patched to the latest versions.
- Regularly scan and test e-commerce sites for vulnerabilities or malware.
- Log e-commerce environment network activity and regularly review for unusual, suspicious activity.
- Implement network segmentation to prevent threat actor movement and ensure the cardholder data environment is sufficiently protected.
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
• Website: https://www.wapacklabs.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
TR-21-112-002_eSkimming_Attackers.pdf
Comments