Expert Speak
How Hackers Steal Your Payment Card Details From Retailers
As we enter the busiest shopping period of the year, both offline and online retailers and consumers are facing risks to the security of their payment card data.
Formjacking has surged in 2018—with Symantec blocking almost 700,000 formjacking attempts from mid-September to mid-November alone. This surge in formjacking is one of the big stories of 2018—with attackers like Magecart using supply chain attacks and other tactics to inject malicious scripts into websites to steal payment card information.
There have also been attacks on point-of-sale (PoS) systems in bricks-and-mortar stores this year, though none so far that compare to the mega breaches of earlier this decade, which saw tens of millions of credit cards compromised in a single breach.
Point of sale, point of weakness
According to recent research from Symantec’s Deepsight Managed Adversary and Threat Intelligence (MATI) team (published in the MATI report How Cyber Criminals Monetize Unauthorized PoS System Access And Stolen Card Data – 01 Nov 2018), on dark net marketplaces threat actors are advertising access to PoS systems at prices ranging from $12 for administrative access to one PoS machine, to $60,000 for access to a large corporate network containing thousands of PoS servers and terminals. Meanwhile, depending on its quality, payment card data on the dark web retails for between $1 and $175 per card.
The techniques used by PoS scammers remain straightforward and have not evolved greatly in the last number of years, with scammers still using “RAM-scraping” malware to steal payment card details. This RAM-scraping malware works because of how data generally travels around retailers’ systems.
- Retailers generally use network-level encryption within their internal networks to protect data as it travels from one system to another.
- However, payment card numbers are not encrypted in the systems themselves and can still be found within the memory of the PoS system and other computer systems responsible for processing or passing on the data.
- This weakness allows attackers to use RAM-scraping malware to extract this data from memory while the data is being processed inside the terminal rather than when the data is travelling through the network.
PoS cyber crime groups
Two high-profile actors in the PoS malware space are FIN7 and FIN6. FIN7 is a well-known group that is reported to have stolen more than $1 billion from companies around the world. FIN7 uses sophisticated spear-phishing emails to convince targets to download an attachment that then infects their company network with malware. The malware used by FIN7 is most commonly a tailored version of the Carbanak malware, which has been used in multiple attacks on banks. Companies compromised by FIN7 include well-known brands like Chipotle, Chilli’s, and Arby’s, with the group thought to have compromised thousands of business locations and to have stolen millions of credit card numbers.
FIN6 was first spotted in 2016 when it used the Grabnew backdoor and the FrameworkPOS malware to steal the details of more than 10 million credit cards. The group was also active in 2018, and was seen exploiting living off the land tools such as Windows Management Instrumentation Command (WMIC) and the Metasploit framework to execute PowerShell commands.
Both groups are believed to have made many millions of dollars selling the card details they steal on dark web marketplaces—with the Joker’s Stash marketplace appearing to be where most of these transactions take place.
However, a few factors have emerged in recent times that may impact the environment around PoS attacks, and the activity of these groups:
- Three members of FIN7 arrested: In August this year, the U.S. Department of Justice issued indictments against three Ukrainian nationals it alleged were members of FIN7: Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov. The three men reportedly had high-profile roles in FIN7: Hladyr as its systems administrator, and Fedorov and Kopakov as supervisors to groups of hackers. While FIN7 activity has continued to operate since these arrests, they could have an impact on the group’s activity going forward.
- Increased adoption of chip and chip-and-PIN: The increased adoption of chip in the U.S., and chip-and-PIN technologies globally, by payment card issuers has reduced the availability of “usable” payment card information in the criminal marketplace. If a threat actor compromises a PoS system that processes 50 percent cards that use chip-and-PIN then only 50 percent of the cards are usable, or saleable, for them. As chip-and-PIN technology becomes more commonplace around the world and reduces the number of PoS systems capable of producing card data that actors can monetize, Symantec’s MATI experts believe the price of unauthorized PoS access will decline, while usable stolen payment card information will increase in value due to its scarcity.
PoS attacks in 2018
One new actor we have seen engaged in malicious activity on PoS machines in 2018 is a group we have dubbed Fleahopper. Fleahopper has been active since at least July 2017. It is a financially motivated group that appears to be monetizing its victims by stealing information from infected machines running PoS software.
In the latter half of 2018, Fleahopper has been observed using the Necurs botnet to infect victims. It does this in two ways: through Necurs bots and through spam email, likely originating from the Necurs botnet. Symantec has observed Fleahopper delivering malware directly through Necurs bots, where the bots drop malware from Fleahopper onto machines already infected by Necurs. Machines that are not infected with Necurs may still be infected by Fleahopper through spam that comes from the Necurs botnet.
Spam emails that deliver malware from Fleahopper have been observed with malicious Microsoft .pub files attached. These .pub files download an installer for the malware used by Fleahopper, Trojan.FlawedAmmyy.
The Trojan.FlawedAmmyy RAT is a modified version of the publicly available remote access tool Ammyy Admin (Remacc.Ammyy). Although Trojan.FlawedAmmyy is not believed to be exclusive to Fleahopper, the group has been observed using Trojan.FlawedAmmyy to deliver its tools.
Once they’ve compromised an organization, Fleahopper has been observed dropping a number of files onto machines running POS software. Fleahopper installs a modified legitimate Remote Desktop Protocol (RDP) file onto infected machines running POS software. This gives Fleahopper remote desktop access to the infected machine that is separate from access through malware. Symantec has observed Fleahopper using this access.
Symantec has observed Fleahopper activity on machines in grocery stores, furniture stores, restaurants and a store selling men’s clothing. The group’s activity appears to be spread around the globe, with some activity seen targeting businesses based in the U.S. and the U.K. Some of the other PoS malware that has been seen used by various groups in the wild in 2018 includes: RtPOS, Prilex, LusyPOS, LockPOS, GratefulPOS, and FindPOS.
Publicly reported attacks
There have been several publicly reported attacks on PoS systems in 2018:
- RMH Franchise Holdings, an Applebee’s franchisee
- Canadian restaurant chain Tim Horton’s
- S. restaurant chain Chili’s
- Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor (these stores have the same parent organization: Hudson Bay Company)
The compromise of Hudson’s Bay Company’s stores and Chili’s has been linked to FIN7. While these were significant compromises—the details of at least 5 million cards were compromised when the Hudson’s Bay Company stores were targeted—there have been no reports so far of PoS attacks this year affecting tens of millions of consumers.
This relative drop in activity in the PoS space compared to previous years could be down to the reasons mentioned above—the increased adoption of chip-and-PIN globally and upset in the FIN7 group. However, it may also indicate that attackers are looking at other ways to make money and get their hands on payment card details—for example, by turning to formjacking.
Formjacking
We first published research on formjacking at the end of September 2018, after a spate of high-profile attacks by the Magecart attack group. Among Magecart’s targets were Ticketmaster UK, British Airways, Feedify, and Newegg. One of its more recent targets was British electronics kit retailer Kitronik.
Formjacking is a term we use to describe the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites. It is not a new technique, but in the latter half of 2018, it has garnered a lot of attention due to some large campaigns, many of which have been carried out by Magecart. Recently released research has claimed that Magecart is not just one group—but rather approximately seven groups that are all engaged in similar activity.
When a customer of an e-commerce site clicks “submit” or its equivalent after entering their details into a website’s payment form, malicious JavaScript code that has been injected there by the cyber criminals collects all entered information, such as payment card details and the user’s name and address. This information is then sent to the attacker’s servers. Attackers can then use this information to perform payment card fraud or sell these details to other criminals on the dark web.
In a two-month period, from mid-September to mid-November, Symantec blocked almost 700,000 formjacking attempts—with a clear upward trend visible as we approach the holiday shopping season.
Much as we reported in September, these formjacking attempts target a wide range of e-commerce websites, including a fashion retailer in Southeast Asia, and another in Australia, a U.S. website selling jewelry, and another U.S. store specializing in outdoor gear and equipment. Suppliers of equipment for dentists, and online stores selling gardening equipment, were also among those targeted. These formjacking attempts continue to target a wide range of stores—ranging from small to large retailers in various countries around the world.
We detailed in our previous research how, in some cases, Magecart was using supply chain attacks to gain access to its targeted websites and carry out these formjacking attacks. The Magecart attackers injected malicious JavaScript code into Ticketmaster’s website after they compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites, for example. Magecart was then able to alter the JavaScript code on Ticketmaster’s websites to capture payment card data from customers and send it to their servers.
Dutch security researcher Willem de Groot has discovered since then that Magecart is also exploiting unpatched vulnerabilities in 21 Magento extensions used by online stores to gain access to websites. Magento is an open-source e-commerce platform. Magecart is using a series of URL paths to probe Magento stores in the wild for the vulnerable extensions, and injecting its malicious code into vulnerable websites.
As we approach the holiday shopping season, it is likely that we will see a ramping up of activity from actors out to steal consumers’ payment card details—both online and in retail stores worldwide.
Best Practices for Retailers
Formjacking
Victims may not realize they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection.
Website owners should be aware of the dangers of software supply chain attacks, as these have been used as the infection vector in some of these formjacking attacks. Software supply chain attacks can be difficult to guard against, but there are some steps that website owners can take:
- Test new updates, even seemingly legitimate ones, in small test environments or sandboxes first, to detect any suspicious behavior.
- Behavior monitoring of all activity on a system can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.
Producers of software packages should ensure that they are able to detect unwanted changes in the software update process and on their website.
Website owners can also use content security policies with Subresource Integrity tags (SRI) to lock down any integrated third-party script.
Point of Sale
- Install and maintain a firewall to facilitate network segmentation.
- Change default system passwords and other security parameters.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update security software.
- Use strong authentication including two-factor authentication for remote systems.
- Test security systems, perform penetration testing, and implement a vulnerability management program.
- Maintain security policies and implement regular training for all personnel.
- Implement chip-and-PIN technology in your business.
- Implement system integrity and monitoring software to leverage features such as system lockdown, application control, or whitelisting.
Best Practices for Consumers
- Monitor your credit card bills so you will spot any suspicious transactions. You could even consider hiring the services of a credit monitoring company.
- Only shop from well-known, secure websites and stores that are more likely to have good security measures in place. However, even well-known stores fall victim to cyber criminals, so while this may reduce your risk of exposure it doesn’t eliminate it.
Apps
Is Apple’s New ‘NameDrop’ Feature a Cause for Parental Concern?
In the ever-evolving landscape of technology, Apple’s new iOS 17 update has introduced a feature that’s sparking a mix of curiosity and concern: NameDrop. This functionality allows users to share contact information with others seamlessly, but it’s not without its set of caveats and considerations.
At the core of the apprehension is the proximity-based nature of NameDrop. For the feature to work, both devices must have iOS 17 installed, be unlocked, and be in close physical proximity – a touch is required to initiate the contact transfer. The user experience involves a swift interaction, prompting a screen at the top of the device with options to “receive only” or “share.”
The need for consent is emphasised in this process. Both users must actively participate in the transfer, acknowledging and approving the exchange of contact information. This deliberate approach is aimed at ensuring that the sharing of personal data is a conscious and intentional act.
However, the rollout of NameDrop has not been without its share of concerns, particularly among parents and law enforcement agencies. Police departments across the United States have issued warnings, urging parents to manually disable the feature on their children’s devices. The fear, it seems, is rooted in the potential for unintended consequences, especially considering the close physical interaction required.
Is it wise to err on the side of caution and turn off NameDrop? Perhaps. Is it time to hit the panic button? Not necessarily, according to experts in the field. In a report by The Washington Post, Chester Wisniewski, a digital security expert at Sophos, dismisses the concerns surrounding NameDrop as “hysteria” and “nonsense.” He suggests that Apple has implemented safeguards to prevent inadvertent information sharing.
One key aspect that should offer reassurance is the need for mutual consent and the deliberate physical proximity required for the feature to activate. The intentionality of this process is to eliminate the risk of accidental data exchanges, putting control firmly in the hands of the users.
As with any technological advancement, understanding and awareness play pivotal roles in ensuring a positive user experience. Educating users, especially parents and guardians, about the intricacies of NameDrop can empower them to make informed decisions about its use. Apple, being at the forefront of user privacy and security, is likely to continue refining and enhancing the feature based on user feedback and evolving security standards.
While the warnings from law enforcement underscore the importance of vigilance, it is crucial to approach the situation with a balanced perspective. The benefits of a feature like NameDrop, enabling seamless contact sharing in a world where connectivity is key, should not be overshadowed by fear.
Apple’s NameDrop feature introduces a novel way of sharing contact information, but its success hinges on user awareness and responsible usage. As technology continues to evolve, so too will the safeguards and features aimed at ensuring a secure and positive user experience. By staying informed and engaged, users can navigate the landscape of advancements like NameDrop with confidence.
Expert Speak
Password Management: Creating, Storing, and Managing Secure Passwords
Navigating the complexities of online security begins with effective password management. This article aims to provide practical advice on creating, storing, and managing passwords, ensuring your digital safety with an approach that is both informative and user-friendly.
Crafting Unbreakable Passwords: A Practical Approach
Creating a strong password is more than a security step; it’s a necessity in today’s digital world. Follow these guidelines to enhance your security:
- Length Matters: Passwords should be at least 16 characters long. A study by Carnegie Mellon University found that longer passwords significantly reduce the risk of hacking.
- Complexity is Key: Combine different character types for a robust password. Use a blend of upper and lower case letters, numbers, and symbols.
- Memorable Phrases: Create passwords using unusual phrases or sentences. Think “VanGoghStarry1Night!” instead of “Password123”.
The Importance of Diversifying Passwords
Using the same password for multiple accounts is like having one key for every lock. Diversify your passwords to ensure that a breach in one account doesn’t jeopardize others. According to a report by Verizon, 80% of hacking-related breaches are due to weak or stolen passwords.
Multi-Factor Authentication (MFA): Your Safety Net
Incorporating MFA can significantly increase your account security. This method, which often involves receiving a code on your mobile device, adds an extra layer of protection.
Personal Information: The Password Pitfall
Avoid using easily guessable personal information in your passwords. Cybersecurity experts warn that personal details are often exploited by hackers.
Password Managers: The Organizational Tool
A password manager is a secure and practical way to store and manage passwords. These tools also help in generating strong passwords. Consider options like LastPass, KeePass, or Keeper, based on your personal preference and needs.
Regular Updates: Key to Continuous Protection
Regularly updating your passwords can dramatically reduce your vulnerability to cyber attacks. Cybersecurity experts recommend changing passwords every three to six months.
Stay Informed: Your Best Defense
Staying updated with the latest cybersecurity trends and threats is essential. Never share your passwords, and always be alert to phishing attempts.
Embracing Secure Password Recovery Methods
Secure Password Recovery: It’s essential to establish secure methods for password recovery. Cybersecurity experts advise against using easily guessable security questions. Instead, opt for two-factor authentication or a secondary email for recovery. According to a report by Google, this simple step can prevent 100% of automated attacks.
The Role of Biometrics in Password Security
Biometrics Integration: The use of biometrics (like fingerprint or facial recognition) in conjunction with traditional passwords is becoming increasingly popular. This method, known as biometric authentication, adds an extra layer of security. A study by the University of Michigan showed that biometrics could reduce the time spent on password entry by 78%, enhancing both security and convenience.
Navigating Public Wi-Fi and Password Safety
Public Wi-Fi Risks: Be cautious when entering passwords on public Wi-Fi networks. These networks are often unsecured, making them hotspots for cybercriminals. The Federal Trade Commission suggests using a VPN (Virtual Private Network) to encrypt your internet connection in such scenarios. Additionally, services like Cisco Umbrella can provide an extra layer of security by offering internet gateway protection. This service not only secures your connection but also helps in blocking malicious sites and phishing attempts, making it a valuable tool for anyone frequently using public Wi-Fi.
The Evolution of Passwords: Future Trends
Future of Passwords: Stay abreast of evolving technologies in password security. Innovations like single sign-on (SSO) systems and blockchain-based passwords are shaping the future of digital identity management. A survey by TechCrunch indicated that 65% of tech professionals believe traditional passwords will be obsolete in the next five years.
Educating Others: Spreading Password Safety Awareness
Spreading Awareness: Educate family, friends, and colleagues about password safety. Sharing knowledge and best practices can dramatically reduce the collective risk of data breaches. The National Cyber Security Centre reported that promoting basic password hygiene could prevent up to 80% of common cyber attacks.
Tailoring Your Password Strategy
Remember, password management is not one-size-fits-all. Consider your unique digital habits and needs when implementing these strategies. Personalization is key to effective password management.
Conclusion
In the intricate web of digital security, password management plays a vital role. By embracing advanced recovery options, considering biometric solutions, exercising caution on public networks, keeping pace with technological trends, and sharing knowledge, we can fortify our digital defences. Effective password management is not just about creating strong passwords; it’s about adopting a comprehensive approach to digital safety, tailored to our unique needs and the evolving cyber landscape.
Expert Speak
Levelling Up Your PC Game Marketing to Capitalise on the MENA’s Gaming Boom
By Adam Smart, Director of Product – Gaming, AppsFlyer
The Middle East and North Africa (MENA) is home to the world’s fastest-growing gaming market — an estimated 377 million players, which is more than all of Europe combined (386 million) and considerably more than the US (210 million). Gamers in Saudi Arabia, Egypt, and the United Arab Emirates (UAE) combined have topped 65 million by 2021 and this number is predicted to reach almost 86 million by 2025. MENA gaming revenue is set to reach more than US$5 billion by 2025. In the UAE, where nine in every 10 adults say they play video games, the country’s gaming market is expected to reach more than $306 million this year.
One segment that has been growing consistently is PC and console gaming. As the growth has occurred, the PC gamer has evolved. No longer exclusively the domain of World of Warcraft aficionados brandishing their “l33t” statuses in front of hordes of “noobs”, the PC market is more diverse, and therein lies the opportunity. First, we have to temper the excitement by reminding you that enthusiasm is no substitute for strategy. Paid and organic moves must combine in a journey of iteration and learning. Hype must be built patiently, in four steps.
Pick Your Genre
You start out with a dream. You want to learn. You want your game to be played. So, the first thing you will do is determine — through research on marketplaces like Steam — what your best positioning is. What genre should your game inhabit to give you the best chance of momentum? Your genre will determine your competition and revenue potential. Each genre releases different numbers of games and has different sales volumes and average revenues per user (ARPU).
Consider a less competitive genre to start with, so you can build some revenue before embarking on more ambitious projects. Consider what kind of streamers play in this genre and how your game’s art style and vibe may fit their tastes. And get to know where your audience consumes content — Twitch, YouTube, TikTok, or others.
Get to Know Steam
Steam is the largest gaming marketplace, where visibility and downloads play out a little differently to Google Play or the App Store. Standing out among 50,000 other games and drawing players from among 130 million monthly active users is a daunting goal. Make sure you pay attention to your capsule (the hero image that represents you in the store). An attractive, professional design is more likely to pique interest. Next, craft your landing page to be a polished artefact that intrigues and inspires browsing — great imagery, short trailers, and lots of gameplay footage. And tag your game to ensure discovery. Steam is known for its window shoppers, so make sure they can add your game to their wish lists. This is a great marketing tool, an effective social wedge, and a sustainable driver of sales.
Leverage UA Channels
As an indie developer, signing with a publisher can help a lot with marketing, especially if your budget is tight. You can also get the word out through alpha and beta releases. Apart from hype, this is a way to keep your most loyal players engaged. Use tools like Sullygnome, Playboard, or HYPR to find well-known gamers/streamers. Many streamers made the difference for games once they started playing them on Twitch. Also check out online festivals like GDC, PAX, Tiny Teams, and Summer Game Fest to further build awareness. And if you have the budget, look into Meta ads, Twitch ads, and YouTube ads.
Find out which platforms host your potential gamers. Engage with them wherever they are. Run your campaigns on channels with which you are familiar, such as mobile and Web. Do not rule out CTV (connected TV) ads or offline ads to capture interest at bus stops and metro stations.
Measure and Optimise
By this point, you will have built a hype train. Now, you must measure its efficiency. You need to know your most profitable campaigns and channels and to do this, you need to measure and attribute conversions accurately. This is not easy in the multichannel haze in which the modern consumer dwells. A gamer could have spotted a Tweet, then watched a CTV ad, then a mobile ad, and then been confronted with a billboard. Which drove their conversion? Today’s marketing measurement and analytics solutions, backed by the right partner, can help organisations connect these dots to the purchase of your game. These platforms even offer a real-time view of campaigns’ performances across multiple channels and devices — a critical capability for branching out to sell games on consoles.
You Just Levelled Up
PC and console gaming sales are a world apart from mobile markets. But provided you understand the target genre and make the right moves on Steam (including wish lists), you should be in the necessary visibility bracket to take your campaign to the next level. Get social, plug yourself into the channels where your target gamers can be found. Enlist a publisher, dole out alpha and beta launches, and cosy up to celebrity gamers/streamers. Be seen at online festivals, spend (if possible) on Meta Ads, Twitch, and YouTube, and consider cross-platform campaigns across mobile, CTV, offline, and Web. But most importantly, measure. And through measurement, as the gamers say, “GiT GuD”.