Mon, Jul 1, 2019
Kroll identified several web compromise incidents via its cyber intake process during the month of June 2019, including cases that involved code injection techniques and sniffers. Web compromises most commonly affected the e-commerce platforms in the retail sector.
Web application compromises involve a variety of exploits directed at web applications (e.g., content management systems) and e-commerce platforms, such as the popular e-commerce platform Magento. Actors use techniques such as structured query language (SQL) injection, cross-site scripting (XSS) and account takeover (ATO) attacks to gain access to payment data and other personal information submitted on payment sites.
The National Vulnerability Database (NVD) posted an alert in April 2019 specifically on an SQL injection vulnerability in Magento which could allow an unauthenticated user to execute arbitrary code and gain access to payment information.
According to Kroll Managing Director J. Andrew Valentine, bad actors are primarily focusing their web compromise attacks on vulnerabilities in three areas: (1) the Magento platform itself, (2) third-party plug-ins and (3) misconfigured Amazon S3 buckets.
“Users can address the S3 bucket issue by simply configuring their AWS accounts with the proper access controls,” says Andrew. “However, dealing with the Magento and third-party plug-in issues is a more difficult proposition and requires both proactive and ongoing mitigation efforts. For example, a Magento idiosyncrasy requires users to patch sequentially. In other words, if a user applies the patch for the Magento issue noted in the April 2019 NVD alert but hasn’t applied earlier patches in sequential order, that vulnerability will remain unpatched until all previous patches have been applied first.”
Andrew also notes that many exploits used against the Magento platform and third-party plug-ins can be difficult to spot: “We find alterations in nondescript areas of websites, e.g., headers and footers, which can help them evade detection, or in PHP functions or third-party plug-ins, like customer support chat capabilities. Sometimes, attackers will strategically alter scripts in multiple areas of an e-commerce platform; in many of these cases, website owners may see one exploit, but not the others.”
From a proactive standpoint, Andrew says Magento users might want to consider running the Magento Security Scan Tool on their sites to help monitor and detect potential issues. The growing risk landscape may also warrant upgrading to a higher, more robust version of the Magento platform or exploring the PCI Security Standards Council list of Validated Payment Applications for potential alternatives.
See more of Andrew’s recommendations in the Experts Corner of this newsletter.
Many exploits leveraged against e-commerce systems are often labeled or attributed to “Magecart.” According to Kroll consultant and dark web specialist Samuel Colaizzi, “Magecart is a generic term that is used by the cyber security industry to classify JavaScript inject attacks that sniff and scrape payment card data from e-commerce platforms, such as Magento. There is no specific code that would define an attack as being Magecart; rather, any JavaScript inject that sniffs and scrapes payment card data as well as other personally identifying information (PII) from payment sites would be classified as Magecart.
A packet analyzer, aka “sniffer,” is not an inherently malicious program; system administrators commonly use it to monitor network’s traffic. Bad actors, however, use sniffers to intercept data that they can monetize directly or through its sale, such as unencrypted passwords, usernames, account numbers, etc.
Below are screen captures of activity on the dark web where someone was selling a sniffer exploit (screenshot 1 below) and a credit card aggregation/dump (screenshot 2) that could have been obtained via this type of sniffer.
Screenshot 1
What is happening in the screenshot above:
Screenshot 2
What is happening in the screenshot above:
Managing Director Andrew Valentine recommends the following strategies for mitigating web compromises, particularly those affecting e-commerce sites.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Email Address
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll offers a wide range of services for both merchants and payment processors, from audits to incident management services, to pragmatic approaches for strengthening your cyber defenses.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Proactively monitor, detect and respond to threats virtually anywhere – on endpoints and throughout the surface, deep and dark web.