Ecommerce: Payment card stealing malware

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.

You know nothing, CISO

Shadow IT can stab you in the back

CISO work overload

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Shadow IT in the corporate website

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

  • RSS Feed
  • News Feed
  • Third Party Partner Widgets
  • Third Party Content MS Integrations
  • Third Party Digital Asset MS Integrations
  • Third Party ECommerce Platforms
  • Image Submission Sites
  • Ad Tags
  • Video Hosting Platform
  • Crowd Sharing Functionality
  • File Sharing Functionality
  • Customer Authentication Platforms
  • Third-Party Software Development (SD) Kits
  • Social Media Connectors
  • Marketing Software
  • Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

Content Management Systems: Friend or Foe?

The downside of open source affordability and flexibility

CMS Friend or Foe

More than 7,000 ecommerce sites were shut down this past weekend due to malware infiltrating the open source or community version of Magento, a popular content management system. Unfortunately, this type of revenue-impacting event has become all too common with similar attacks affecting WordPress, Joomla and Drupal within the past 12 months. As thousands of online merchants have just learned, taking advantage of the affordability and flexibility offered by an open-source website vendor requires investment in continuous site security.

Start-up savior

Millions of small and medium-sized merchants rely on open source content management systems (CMS) to support their initial foray into online commerce. These platforms provide a “plug-n-play” infrastructure that pulls together basic design schema, content delivery features and shopping cart capabilities—critical cost-saving tools for a start-up operation. Platform providers make these tools available in the hopes that as the retailer grows it will seek more features and eventually upgrade to a more robust, enterprise version. But, these supposedly “free” tools come with a price.

When free isn’t free

Open source is a great resource; however, it is not supported by the vendor. Open source platforms rely on a passionate community of users to build plug-ins and extensions which extend the capability of the free tool. A major shortfall is that open source lacks the protection users expect—there’s no accountability for the developer community should something go horribly wrong. In fact, the very nature of open source suggests that the “source” is “open” to all who wish to contribute.

Bad actors easily infiltrate these communities and cause considerable harm. From compromising an existing extension to creating a flawed one, bad actors can quickly penetrate thousands of ecommerce operations and execute a host of crimes—mine for credit card data, trigger malware downloads onto shopper browsers, deface the site with inflammatory language or completely disable site operations, to name a few. Whatever the action, the merchant suffers serious damaging consequences from which it may not ever recover.

To protect an ecommerce operation, online merchants need to invest in security measures to ensure the open source environment is safe from compromise. This means a thorough review of all code and vendors used to render the site on consumer browsers—both front-end services, like image library and product recommendation, and back-end services, like CMS and content delivery networks. In effect, open source is not really free, as the money saved from licensing needs to be poured back into IT to secure the site.

Preparing for the worst

Considering that an open source platform can bring an ecommerce site to its knees, online merchants must keep abreast of industry news and take immediate action to locate and fix compromised code. In addition, merchants should also adopt basic security best practices such as:

  1. Regular participation in the open source community to know when issues are detected and how to resolve
  2. Careful screening of plug-ins and extensions before using in your environment
  3. Limited use of un-vetted extensions
  4. Continuously monitoring of the third-party vendors executing on the site

The best way to secure revenue continuity is to constantly monitor the site for anomalies and unexpected vendor behavior. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

For those not planning to upgrade to a licensed, vendor-supported platform, an effective security program will be your best friend. The Media Trust can make the introduction.

 

Ecommerce–What’s happening on your site?

Wayward third-party vendors impact site performance, collect first-party data and expose site visitors to malware

Online shopping is now a primary revenue source for many retailers, and its growth trajectory is forecast to continue its double-digit growth rate. With their high-volume traffic and access to consumers’ credit cards, these sites also serve as revenue sources for hackers and fraudsters, who find retailers’ reliance on third-party vendors especially appealing. They gain access to sites by compromising legitimate third-party vendors.

Pinpointing the third-party vendors

Everyday ecommerce sites are rife with third-party vendors, many of them not clearly visible to site owners. These services provide the interactive and engaging experience consumers have come to expect and also enable the site to be monetized. Unbeknownst to many retailers, the third-party vendors they use to render these critical services—product reviews, content recommendation engines, payment systems, automated marketing services, analytics, content delivery networks, social media tools and more—can unintentionally function as a conduit for a host of unsavory activities including malware drops, first-party data collection, and latency-causing actions.

The challenge is to quickly identify the point of compromise, yet most ecommerce site operators don’t have a clear grasp of the vendors actively executing on their digital properties. The following infographic of a typical ecommerce site provides clues to where vendors can be found.

Ecommerce–What's happening on your site?

[Get your pdf copy at www.TheMedia.Trust]

Check yourself before you wreck yourself

How do you control these vendors and what they do on your site? The ability to effectively manage an ecommerce site requires intricate command of the technology, processes and vendors needed to render pages that not only meet revenue goals, but do so without compromising the user experience. This means the site must be free of malware, performance-sapping vendors and privacy-violating data collection activity.  To protect against third-party code’s inherent risks, ecommerce teams must work with their IT, information security, and legal teams to constantly monitor—in real time—the code executing on their sites. Otherwise, a host of activities can be underway without your knowledge which can negatively impact the user experience, your brand and your revenue stream.

Encryption – Your website isn’t as secure as you think

HTTPS code does not mean a site is encrypted

Encryption is complicated

Today is D-Day for ecommerce and IT professionals, basically anyone with a revenue-generating digital property. June 30 marks the day that Google’s ad networks move to HTTPS and follows previous statements indicating HTTPS compliance as a critical factor in search engine rankings.

From Google’s announcement to the White House directive mandating HTTPS-compliant federal websites by December 2016, encryption has become the topic du jour. And, rumors abound that browsers are getting into the encryption game by flashing alerts when a site loses encryption. Why all the fanfare?

Encryption adds elements of authenticity to website content, privacy for visitor search and browsing history, and security for commercial transactions. HTTPS guarantees the integrity of the connection between two systems—webserver and browser—by eliminating the inconsistent decision-making between the server and browser regarding which content is sensitive. It does not ensure a hacker-proof website and does not guarantee data security.

Over the past year, businesses worked to convert their website code to HTTPS. With Google’s recent announcement, ad-supported sites can sit back and relax knowing their sites are secure, right? Wrong.

To have a truly encrypted site you must ensure ALL connections to your website communicate through HTTPS, including all third-party code executing on your site, not just advertising. This means sites using providers such as content delivery networks, data management platforms, hosting services, analytic tools, product reviews, and video platforms, need to ensure connections—and any connections to fourth or fifth parties—are made via HTTPS. Just one break in any call chain will unencrypt your site. Considering 57% of ecommerce customers would stop a purchase session when alerted to an insecure page, the ongoing push to encrypted sites should not be ignored.

What’s a website operator to do? By its very nature, third-party code resides outside your infrastructure and is not detected during traditional web code scanning, vulnerability assessment, or penetration testing. To ensure your site—and all the vendors serving it—maintains encryption you must scan it from the user’s point of view to see how the third parties behave. Only then can you detect if encryption has been lost along the call chain.

Guess what? Corporate websites are out of your control

Recognizing how websites and mobile apps have transformed business models

website shadow IT

Marriott. Toys R Us. Darden Restaurants. Wal-Mart. Kraft. Neiman Marcus. Dell. What do these diverse companies have in common? They are all digital publishers.

As highlighted in a recent article, Dell spends millions of dollars each year developing content for their public-facing website. From placing advertisements to writing stories about women in technology to creating informative videos, Dell recognizes the power of digital content as an important part of the sales process. And their public-facing website serves as the primary communication channel to their most valuable asset—the customer. Dell isn’t alone.

Once relegated to traditional media companies, the concept of a digital publisher has morphed to encapsulate any organization that uses digital channels to promote their business—either directly with coupons, product reviews and ecommerce capabilities or indirectly via promotional videos, polls and recipes. In effect, any firm with a digital property—website or mobile app—should consider themselves a digital publisher.

Digital content is outside your control

Digital content and the channels through which it is acquired and delivered requires a new approach to security.

High-quality, informative websites and mobile apps attract visitors, and this attention draws evildoers. Looking to capitalize on your hard-won customers and website traffic, these bad actors mine for poor web code to exploit. They redirect visitors outside your page, launch malware downloads, and steal valuable visitor data, to name a few actions that no reputable business wants. In fact, online and mobile channels are the primary vectors for malware, with 85% of all malware distributed via the web.

Securing public-facing digital properties should be easy, right? The challenge is that most of the code delivering the interactive and engaging user experience that renders on the site visitor’s browser is from a third party and therefore outside your control. As a matter of fact, third-party code makes up more than 78% of the code found on Fortune 1000 websites. Think about it. Almost every corporate website uses video, blog, talent acquisition and social media tools in addition to the standard backend data analytics and marketing platforms. Though incorporated into your website design, these third-party providers execute outside your website’s technical operation thereby minimizing your ability to control their security or activity. And they are often compromised. (Read more about third-party code providers.)

Responsibility of Securing public-facing digital properties

Viewed from a digital publisher lens, strategic business growth depends on delivering a top-notch user experience to website visitors and mobile apps users—customers and employees. Securing these digital properties means closely monitoring third-party activities to ensure they are not dropping malware, collecting unauthorized user data or negatively impacting site performance.

With digital publishing comes responsibility. Embrace it.

What’s on your website? And what’s it doing there?

Recognizing the risks of third-party code on brand and ecommerce websites.

That’s a simple question, right? You’d think that IT, infosec and ecommerce/digital operations would know—that they would want to know—which third-party domains execute code on their company’s website. The reality is they don’t know, exposing their site and their site’s visitors to the constant threat of cyber attacks in the form of malware drops or domain redirects.

Today, most organizations recognize that online and mobile ads serve as major conduits for malware, but they remain ignorant to the risks associated with third-party code executed on their website. They fail to understand the value of knowing how many third-party vendors and domains access their site each day, week or month. Failure to track third-party code activity or the length of time the domain remains on a site opens the door to malware, site performance issues and data leakage, which can lead to lost revenue and privacy violations.

And don’t forget that many of these vendors may require a fourth-party to enable their functionality, which means the average website can have hundreds of domains accessing the site at any one time. In fact, the preponderance of source code executing on Fortune 1,000 websites is third-party code—just think of the latency challenges!

That figure sounds high until you take into account the third-party services required to render a single URL: blogging, video, data analytics, comments, chat, product reviews, marketing automation, etc. These various services provide for a more interactive and engaging website, as well as enable the site to be optimally monetized.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

While third-party vendors provide value, they must also be closely monitored, lest they unknowingly serve as an entry point for malware, as evidenced with the Syrian Electronic Army’s (SEA) Thanksgiving Day attack on more than 100 media sites. The SEA attacked these various websites by first infiltrating an unsuspecting third-party used by media outlets, and a few name-brand companies, whose ecommerce sites were unavailable for hours resulting in millions of lost revenue. In the grand scheme of things, this recent compromise was relatively harmless—the SEA redirected the Gigya domain to a promotional message—and did not penetrate internal systems, infiltrate firewalls or pilfer sensitive corporate or customer data. Yet.

Purveyors of malware attack for two primary reasons: simple profit or publicity, with the Sony Pictures Entertainment breach being the most recent high-profile example. Due to the heavy reliance on marketing analytics, plug-ins and third-party content, brand and ecommerce sites are prime targets for a large-scale attack orchestrated through an unknowing accomplice: a third-party executing code on an ecommerce site. And it won’t be for harmless fun. These cyber criminals leverage corporate websites to drop malware on site visitors, which typically includes employees, that mines for system vulnerabilities, syphon valuable customer data or redirect consumers to alternative and possibly competitive sites.

When this happens, what will you do? Instinct is to shut down the entire property until you can locate the malicious code—a process that can take hours of searching. This is an expensive solution, because not only do you spend resources pinpointing the problem but you also won’t be able to deliver promised ads or process customer transactions, and your brand will be forever tarnished.

The best defense is continuous monitoring of third-party vendors to catch the moment they are compromised and before significant harm is unleashed. Through constant scanning of these website partners you will know the instant an anomalous activity is detected, whether it be suspicious code or a domain redirect.

Think about it the next time you visit your company’s website to read product reviews, catch up on the latest blog post, chat with the help desk or watch an entertaining video. Do you really know which vendors enable these activities? Have you authorized their presence and activity? Once you have a handle on this information, securing your business’s online presence becomes easier.