Telegram-Based Skimming Attack

According to Malwarebytes, hackers exploited the Telegram app to send stolen payment details from compromised websites. They used the messaging platform to exfiltrate sensitive data by deploying skimmer codes and traditional Trojans.

“The fraudulent data exchange is conducted via Telegram’s API, which posts payment details into a chat channel. That data was previously encrypted to make identification more difficult. For threat actors, this data exfiltration mechanism is efficient and does not require them to keep up infrastructure that could be taken down or blocked by defenders. They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets,” Malwarebytes said.

According to the security researcher AffableKraut — who is the first to disclose the incident in a Twitter thread — the skimmer code checks for web debuggers to evade security detection and looks for sensitive data fields like billing, payment details, credit card number, expiration, and CVV.

Injecting e-skimmers or malicious JavaScript on e-commerce sites to pilfer payment card details is a common technique used by Magecart operators. But this time, they used a new method to exfiltrate data through a message sent to a Telegram channel using an encoded bot ID in the skimmer code.

“Defending against this variant of a skimming attack is a little more tricky since it relies on a legitimate communication service. One could obviously block all connections to Telegram at the network level, but attackers could easily switch to another provider or platform (as they have done before) and still get away with it,” Malwarebytes added.

The post Another Web Skimming Attack! Hackers Use Telegram to Pilfer Card Data appeared first on CISO MAG | Cyber Security Magazine.

Information Accessed in the Data Breach

The attackers gained access to users’ login information like usernames, passwords, payment card information like credit card numbers, and personal information like names, dates of birth, email address, job titles and roles; primary job function, addresses, employee industry, and type of payroll software used. In addition, they also obtained profile photos and social media username data associated with some accounts.

APA notified the users affected in the incident and offered 12 months of free credit monitoring and $1,000,000 in identity theft insurance.

“Since discovering the cyberattack, APA has installed the latest security patches from our content management system to prevent any further exploitation of their website. APA technicians also reviewed all code changes made to the APA website since January; installed additional antivirus software on our servers; and increased the frequency of security patch implementation,” the Association said.

Magecart Attack, Again?

The attack that APA suffered is known as the Magecart attack (also called web skimming or e-skimming attacks) in which attackers inject malicious JavaScript code on e-commerce websites after exploiting a CMS vulnerability. Multiple security incidents have been reported on Magecart hackers earlier. Recently, researchers from threat intelligence firm RiskIQ uncovered a new Magecart campaign dubbed as “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data. The researchers discovered a software skimmer “MakeFrame,” which injects HTML iframes into the targeted websites to obtain payment information.

The post Data Security Alert! American Payroll Association Suffers Web Skimming Attack appeared first on CISO MAG | Cyber Security Magazine.

After analyzing the security posture of the Alexa top 1000 websites, the survey revealed that website data risk is on the surge, but most of the website owners fail to deploy necessary security precautions to defend against client-side attacks.

“Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript. In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge,” the survey stated.

Other key findings include:

• The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019
• 58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above. This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today
• Despite increasing numbers of high-profile breaches, forms found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records. While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, Tala’s analysis shows that this data is exposed to nearly 10X more domains than intended. Nearly one-third of websites studied expose data to more than 20 domains
• While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attacks
• Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA
• 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019

Aanand Krishnan, Founder and CEO of Tala Security, said, “Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources. It’s imperative that organizations keep security top-of-mind and pay much closer attention to what has become a pervasive attack vector.”

The post 99% of Websites Are Prone to Cyberattacks Via JavaScript Plug-Ins: Report appeared first on CISO MAG | Cyber Security Magazine.

The suspects, identified by initials ANF (27 years), K (35 years), and N (23 years), were accused of injecting JavaScript sniffers into websites to capture information entered by the site visitors. It’s said that the suspects allegedly used the stolen payment card data to purchase electronic and luxury goods.

“The three of them have carried out their actions since 2017 until now, and each has similar hacking abilities. The arrest of the hacking suspects began with the collaboration of Subdit II Dittipidsiber Bareskrim Police, Interpol, ASEAN Desk and IB-Group in the Night Fury Operation activities, which are joint operations with several communities both nationally and internationally in order to combat Malware used by hackers,” the officials said in a media statement. 

Macy’s Magecart Attack

In October 2019, Macy’s, an American department store chain, stated that its customers have been hit by an attack that affected countless numbers of credit cards. The retailer stated that unknown intruders planted a card-stealing malware script on its payment site and collected customer details.

According to an official statement, the attackers installed a Magecart script on the checkout page of its website and siphoned off customers’ payment card details between October 7 and October 15,  this year.

The compromised data included customers’ names, addresses, phone numbers, credit card numbers, card verification codes, and expiration dates.

What is Magecart Attack?

Magecart attack, also known as web skimming or e-skimming, is a form of cybercrime where attackers plant malicious JavaScript code on online stores.

In a Magecart attack, hackers gain access to a company’s online store website by compromising and hiding malicious code in it. The malicious code then collects the payment card information from users while making purchases on the infected site. It’s said that hackers either sell the stolen card data on the darknet or uses it to make fraudulent purchases.

The post Magecart Hacking Group Arrested in Indonesia appeared first on CISO MAG | Cyber Security Magazine.

This is double trouble in every sense. The dropper gets in action with a JavaScript code which contained a URL-encoded data, which the researchers later uncovered as VBScript code. According to Fortinet, “The author of this malware used simple character replacement when calling the “Chr()” function in an attempt to hide the actual strings (“shell.application” and “cmd /c cd %temp%”, respectively.”

According to the researchers, the objectives of the VBScript code are:

1. Create a new Shell.Application object
2. Call the ShellExecute() function, which eventually generates a new file with the hardcoded filename of “A6p.vbs”
3. Execute the newly-created script file “A6p.vbs”
4. Pause the CMD command execution for 13 seconds (by calling the timeout.exe program)
5. Delete the script file “A6p.vbs”
6. Execute the downloaded script file “Microsoft.vbs”
7. Close the current/active window

The VBScript code then summons a Shell.Application which generates a new script file, which then fetches another payload (VBScript code) from an external source. The new string pulls a script Microsoft.vbs from a remote server and saves itself in the temp folder. The code is composed of the main class called “th3m41n” using three methods “dugh41r,” “t01l3t,” and “b3st1n”.

“Once the aforementioned code is executed, it creates a new WScript.Shell object and collects OS environment and hardcoded data, which will eventually end in running the newly created script (GXxdZDvzyH.vbs) by calling the VBScript interpreter with the “//B” parameter. This enables “batch-mode” and disables any potential warnings or alerts that can occur during execution,” researchers wrote. As the code is executed, a new key is added which is called Microsoft which stores the malformed base64-encoded data.

With the new key into the registry, commands are executed to bypass execution policies and the RAT payload is then deployed. Following the RevengeRAT attack IP addresses, usernames, machine data, CPU data, webcam access, information on firewall installations and antivirus are stolen. RevengeRAT is infamous and has been earlier deployed to steal data from financial firms, governments, and IT companies. But the buck doesn’t stop there.

The dropper also deploys another payload, a WSHRAT on the same script with a few changes. The second attack is the double whammy. The second payload which is the newest version of the WSHRAT, an infamous phishing tool, is capable of stealing information stored in browsers. It is also capable of remotely installing and uninstalling programs and several other methods of keylogging.

The post RAT Attack: Double Whammy appeared first on CISO MAG | Cyber Security Magazine.