dcsimg

A week in security (December 30 – January 5)

Last week on Malwarebytes Labs, we took a dive into edge computing, looked at new web skimmer techniques, and rolled our eyes at silly people doing silly things. Other cybersecurity news: Stills and chills: A Reddit user notices their security camera is grabbing stills from other people’s devices. (Source: Reddit) Tik Tok, the clock has stopped: The US Military has banned soldiers from making use … [Read more...]

New evasion techniques found in web skimmers

For a number of years, criminals have been able to steal credit card details from unaware online shoppers without attracting too much attention. Few people in the security industry were talking about these credit card web skimmers, both server-side and client-side, before the latter became largely known as Magecart. It took some major incidents, notably the Ticketmaster and British Airways … [Read more...]

There’s an app for that: web skimmers found on PaaS Heroku

Criminals love to abuse legitimate services—especially platform-as-a-service (Paas) cloud providers—as they are a popular and reliable hosting commodity used to support both business and consumer ventures. Case in point, in April 2019 we documented a web skimmer served on code repository GitHub. Later on in June, we observed a vast campaign where skimming code was injected into Amazon S3 … [Read more...]

The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT

This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas. In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups. This time, we looked at … [Read more...]

Magecart criminals caught stealing with their poker face on

Earlier in June, we documented how Magecart credit card skimmers were found on Amazon S3. This was an interesting development, since threat actors weren’t actively targeting specific e-commerce shops, but rather were indiscriminately injecting any exposed S3 bucket. Ever since then, we’ve monitored other places where we believe a skimmer might be found next. However, we were … [Read more...]

No summer break for Magecart as web skimming intensifies

This summer, you are more likely to find the cybercriminal groups Magecart client-side rather than poolside. Web skimming, which consists of stealing payment information directly from within the browser, is one of today’s top web threats. Magecart, the group behind many of these attacks, gained worldwide attention with the British Airways and TicketMaster breaches, costing the former … [Read more...]

Skimmer acts as payment service provider via rogue iframe

Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be … [Read more...]

GitHub hosted Magecart skimmer used against hundreds of e-commerce sites

Every day, new e-commerce websites fall into the hands of one of the many Magecart skimmers. Unbeknownst to shoppers, criminals are harvesting their personal information, including payment details in the online equivalent of ATM card skimming. Most often the skimming code—written in JavaScript and obfuscated—is hosted on infrastructure controlled by attackers. Over time, they have created … [Read more...]

Plugin vulnerabilities exploited in traffic monetization schemes

In their Website Hack Trend Report, web security company Sucuri noted that WordPress infections rose to 90 percent in 2018. One aspect of Content Management System (CMS) infections that is sometimes overlooked is that attackers not only go after the CMSes themselves—WordPress, Drupal, etc.—but also third-party plugins and themes. While plugins are useful in providing additional features for … [Read more...]

New Golang brute forcer discovered amid rise in e-commerce attacks

E-commerce websites continue to be targeted by online criminals looking to steal personal and payment information directly from unaware shoppers. Recently, attacks have been conducted via skimmer, which is a piece of code that is either directly injected into a hacked site or referenced externally. Its purpose is to watch for user input, in particular around online shopping carts, and send the … [Read more...]