dcsimg

Credit card skimmer masquerades as favicon

Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one. When it comes to online credit card skimmers, we have already seen a number of evasion techniques, some fairly simple and others more elaborate. The goal remains to deceive online shoppers while … [Read more...]

Criminals hack Tupperware website with credit card skimmer

On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered. Threat actors compromised the official tupperware[.]com site—which averages close to 1 million monthly visits—as well as a few of its … [Read more...]

Lock and Code S1Ep2: On the challenges of managed service providers

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to two representatives from an Atlanta-based managed service provider—a manager of engineering services and a data center architect—about the daily challenges of managing thousands of nodes and the future of the industry. Tune in for all this and more on … [Read more...]

Rocket Loader skimmer impersonates CloudFlare library in clever scheme

Fraudsters are known for using social engineering tricks to dupe their victims, often times by impersonating authority figures to instill trust. In a recent blog post, we noted how criminals behind Magecart skimmers mimicked content delivery networks in order to hide their payload. This time, we are looking at a far more clever scheme. This latest skimmer is disguised as a JavaScript file … [Read more...]

A week in security (December 30 – January 5)

Last week on Malwarebytes Labs, we took a dive into edge computing, looked at new web skimmer techniques, and rolled our eyes at silly people doing silly things. Other cybersecurity news: Stills and chills: A Reddit user notices their security camera is grabbing stills from other people’s devices. (Source: Reddit) Tik Tok, the clock has stopped: The US Military has banned soldiers from making use … [Read more...]

New evasion techniques found in web skimmers

For a number of years, criminals have been able to steal credit card details from unaware online shoppers without attracting too much attention. Few people in the security industry were talking about these credit card web skimmers, both server-side and client-side, before the latter became largely known as Magecart. It took some major incidents, notably the Ticketmaster and British Airways … [Read more...]

There’s an app for that: web skimmers found on PaaS Heroku

Criminals love to abuse legitimate services—especially platform-as-a-service (Paas) cloud providers—as they are a popular and reliable hosting commodity used to support both business and consumer ventures. Case in point, in April 2019 we documented a web skimmer served on code repository GitHub. Later on in June, we observed a vast campaign where skimming code was injected into Amazon S3 … [Read more...]

The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT

This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas. In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups. This time, we looked at … [Read more...]

Magecart criminals caught stealing with their poker face on

Earlier in June, we documented how Magecart credit card skimmers were found on Amazon S3. This was an interesting development, since threat actors weren’t actively targeting specific e-commerce shops, but rather were indiscriminately injecting any exposed S3 bucket. Ever since then, we’ve monitored other places where we believe a skimmer might be found next. However, we were … [Read more...]

No summer break for Magecart as web skimming intensifies

This summer, you are more likely to find the cybercriminal groups Magecart client-side rather than poolside. Web skimming, which consists of stealing payment information directly from within the browser, is one of today’s top web threats. Magecart, the group behind many of these attacks, gained worldwide attention with the British Airways and TicketMaster breaches, costing the former … [Read more...]