Tag Archives: website breach

Ecommerce: Payment card stealing malware

by in Enterprise and tagged , , , , , , , , , , , ,

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.

What’s on your website? And what’s it doing there?

by in Enterprise and tagged , , , , , , , , ,

Recognizing the risks of third-party code on brand and ecommerce websites.

That’s a simple question, right? You’d think that IT, infosec and ecommerce/digital operations would know—that they would want to know—which third-party domains execute code on their company’s website. The reality is they don’t know, exposing their site and their site’s visitors to the constant threat of cyber attacks in the form of malware drops or domain redirects.

Today, most organizations recognize that online and mobile ads serve as major conduits for malware, but they remain ignorant to the risks associated with third-party code executed on their website. They fail to understand the value of knowing how many third-party vendors and domains access their site each day, week or month. Failure to track third-party code activity or the length of time the domain remains on a site opens the door to malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations.

And don’t forget that many of these vendors may require a fourth-party to enable their functionality, which means the average website can have hundreds of domains accessing the site at any one time. In fact, the preponderance of source code executing on Fortune 1,000 websites is third-party code—just think of the latency challenges!

That figure sounds high until you take into account the third-party services required to render a single URL: blogging, video, data analytics, comments, chat, product reviews, marketing automation, etc. These various services provide for a more interactive and engaging website, as well as enable the site to be optimally monetized.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

Purveyors of malware attack for two primary reasons: simple profit or publicity, with the Sony Pictures Entertainment breach being the most recent high-profile example. Due to the heavy reliance on marketing analytics, plug-ins and third-party content, brand and ecommerce sites are prime targets for a large-scale attack orchestrated through an unknowing accomplice: a third-party executing code on an ecommerce site. And it won’t be for harmless fun. These cyber criminals leverage corporate websites to drop malware on site visitors, which typically includes employees, that mines for system vulnerabilities, syphon valuable customer data or redirect consumers to alternative and possibly competitive sites.

When this happens, what will you do? Instinct is to shut down the entire property until you can locate the malicious code—a process that can take hours of searching. This is an expensive solution, because not only do you spend resources pinpointing the problem but you also won’t be able to deliver promised ads or process customer transactions, and your brand will be forever tarnished.

The best defense is continuous monitoring of third-party vendors to catch the moment they are compromised and before significant harm is unleashed. Through constant scanning of these website partners you will know the instant an anomalous activity is detected, whether it be suspicious code or a domain redirect.

Think about it the next time you visit your company’s website to read product reviews, catch up on the latest blog post, chat with the help desk or watch an entertaining video. Do you really know which vendors enable these activities? Have you authorized their presence and activity? Once you have a handle on this information, securing your business’s online presence becomes easier.

 

SEA attack is no surprise

by in Enterprise and tagged , , , , ,

Ecommerce website losses estimated in the millions of dollars.

Boom! There it is. As expected, someone took advantage of the holiday season to make a statement, and hacking into media and corporate brand websites is one way to get the world’s attention.

Early yesterday morning at 6:38 a.m. EST, The Media Trust was the first security company to detect a pop-up screen stating the Syrian Electronic Army (SEA) had hacked a website, first in mobile and then online environments. The ongoing, 24/7 scanning of more than 25,000 websites through our Media Scanner services allowed us to quickly detect the hack and prepare our clients for battle.

Upon detection of this pop-up message, The Media Trust’s Malware Team immediately analyzed the code and determined it stemmed from a call made by Gigya, a customer management platform used by more than 700 leading brands. The Malware Team immediately contacted affected clients so they could quickly remove and then block the malicious file, thereby helping clients avoid the time-consuming hassle of tracking down the issue’s source.

This was an indirect attack, because it compromised the DNS server at gigya.com, which is hosted by GoDaddy. The SEA did not gain access to the Gigya servers; instead they redirected Gigya’s Internet traffic to its own servers and then served a file called “socialize.js” which displayed the SEA’s message.

As with their past attacks, the SEA targeted media outlets and focused exclusively on websites and was not related to any ad content. The SEA attack did not distribute malware and was designed as an effective publicity stunt. Yet, what’s to stop them from doing something worse the next time? And, let’s be honest, even without the presence of malware, a message on an ecommerce site stating that it has been hacked, even for a few hours, results in lost transactions – those few hours translate into millions of dollars of unrecoupable revenue.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. As The Media Trust cautioned in last week’s blog post, the holiday season is when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Keep in mind that The Media Trust’s Media Scanner detected this attack before Gigya. Do you want to know about your website being comprised so you can take action before the world knows? Think about it.