Connect with us

Expert Speak

How Hackers Steal Your Payment Card Details From Retailers



As we enter the busiest shopping period of the year, both offline and online retailers and consumers are facing risks to the security of their payment card data.

Formjacking has surged in 2018—with Symantec blocking almost 700,000 formjacking attempts from mid-September to mid-November alone. This surge in formjacking is one of the big stories of 2018—with attackers like Magecart using supply chain attacks and other tactics to inject malicious scripts into websites to steal payment card information.

There have also been attacks on point-of-sale (PoS) systems in bricks-and-mortar stores this year, though none so far that compare to the mega breaches of earlier this decade, which saw tens of millions of credit cards compromised in a single breach.

Point of sale, point of weakness
According to recent research from Symantec’s Deepsight Managed Adversary and Threat Intelligence (MATI) team (published in the MATI report How Cyber Criminals Monetize Unauthorized PoS System Access And Stolen Card Data – 01 Nov 2018), on dark net marketplaces threat actors are advertising access to PoS systems at prices ranging from $12 for administrative access to one PoS machine, to $60,000 for access to a large corporate network containing thousands of PoS servers and terminals. Meanwhile, depending on its quality, payment card data on the dark web retails for between $1 and $175 per card.

The techniques used by PoS scammers remain straightforward and have not evolved greatly in the last number of years, with scammers still using “RAM-scraping” malware to steal payment card details. This RAM-scraping malware works because of how data generally travels around retailers’ systems.

  • Retailers generally use network-level encryption within their internal networks to protect data as it travels from one system to another.
  • However, payment card numbers are not encrypted in the systems themselves and can still be found within the memory of the PoS system and other computer systems responsible for processing or passing on the data.
  • This weakness allows attackers to use RAM-scraping malware to extract this data from memory while the data is being processed inside the terminal rather than when the data is travelling through the network.

PoS cyber crime groups
Two high-profile actors in the PoS malware space are FIN7 and FIN6. FIN7 is a well-known group that is reported to have stolen more than $1 billion from companies around the world. FIN7 uses sophisticated spear-phishing emails to convince targets to download an attachment that then infects their company network with malware. The malware used by FIN7 is most commonly a tailored version of the Carbanak malware, which has been used in multiple attacks on banks. Companies compromised by FIN7 include well-known brands like Chipotle, Chilli’s, and Arby’s, with the group thought to have compromised thousands of business locations and to have stolen millions of credit card numbers.

FIN6 was first spotted in 2016 when it used the Grabnew backdoor and the FrameworkPOS malware to steal the details of more than 10 million credit cards. The group was also active in 2018, and was seen exploiting living off the land tools such as Windows Management Instrumentation Command (WMIC) and the Metasploit framework to execute PowerShell commands.

Both groups are believed to have made many millions of dollars selling the card details they steal on dark web marketplaces—with the Joker’s Stash marketplace appearing to be where most of these transactions take place.

However, a few factors have emerged in recent times that may impact the environment around PoS attacks, and the activity of these groups:

  • Three members of FIN7 arrested: In August this year, the U.S. Department of Justice issued indictments against three Ukrainian nationals it alleged were members of FIN7: Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov. The three men reportedly had high-profile roles in FIN7: Hladyr as its systems administrator, and Fedorov and Kopakov as supervisors to groups of hackers. While FIN7 activity has continued to operate since these arrests, they could have an impact on the group’s activity going forward.
  • Increased adoption of chip and chip-and-PIN: The increased adoption of chip in the U.S., and chip-and-PIN technologies globally, by payment card issuers has reduced the availability of “usable” payment card information in the criminal marketplace. If a threat actor compromises a PoS system that processes 50 percent cards that use chip-and-PIN then only 50 percent of the cards are usable, or saleable, for them. As chip-and-PIN technology becomes more commonplace around the world and reduces the number of PoS systems capable of producing card data that actors can monetize, Symantec’s MATI experts believe the price of unauthorized PoS access will decline, while usable stolen payment card information will increase in value due to its scarcity.

PoS attacks in 2018
One new actor we have seen engaged in malicious activity on PoS machines in 2018 is a group we have dubbed Fleahopper. Fleahopper has been active since at least July 2017. It is a financially motivated group that appears to be monetizing its victims by stealing information from infected machines running PoS software.

In the latter half of 2018, Fleahopper has been observed using the Necurs botnet to infect victims. It does this in two ways: through Necurs bots and through spam email, likely originating from the Necurs botnet. Symantec has observed Fleahopper delivering malware directly through Necurs bots, where the bots drop malware from Fleahopper onto machines already infected by Necurs. Machines that are not infected with Necurs may still be infected by Fleahopper through spam that comes from the Necurs botnet.

Spam emails that deliver malware from Fleahopper have been observed with malicious Microsoft .pub files attached. These .pub files download an installer for the malware used by Fleahopper, Trojan.FlawedAmmyy.

The Trojan.FlawedAmmyy RAT is a modified version of the publicly available remote access tool Ammyy Admin (Remacc.Ammyy). Although Trojan.FlawedAmmyy is not believed to be exclusive to Fleahopper, the group has been observed using Trojan.FlawedAmmyy to deliver its tools.

Once they’ve compromised an organization, Fleahopper has been observed dropping a number of files onto machines running POS software. Fleahopper installs a modified legitimate Remote Desktop Protocol (RDP) file onto infected machines running POS software. This gives Fleahopper remote desktop access to the infected machine that is separate from access through malware. Symantec has observed Fleahopper using this access.

Symantec has observed Fleahopper activity on machines in grocery stores, furniture stores, restaurants and a store selling men’s clothing. The group’s activity appears to be spread around the globe, with some activity seen targeting businesses based in the U.S. and the U.K. Some of the other PoS malware that has been seen used by various groups in the wild in 2018 includes: RtPOS, Prilex, LusyPOS, LockPOS, GratefulPOS, and FindPOS.

Publicly reported attacks
There have been several publicly reported attacks on PoS systems in 2018:

  • RMH Franchise Holdings, an Applebee’s franchisee
  • Canadian restaurant chain Tim Horton’s
  • S. restaurant chain Chili’s
  • Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor (these stores have the same parent organization: Hudson Bay Company)

The compromise of Hudson’s Bay Company’s stores and Chili’s has been linked to FIN7. While these were significant compromises—the details of at least 5 million cards were compromised when the Hudson’s Bay Company stores were targeted—there have been no reports so far of PoS attacks this year affecting tens of millions of consumers.

This relative drop in activity in the PoS space compared to previous years could be down to the reasons mentioned above—the increased adoption of chip-and-PIN globally and upset in the FIN7 group. However, it may also indicate that attackers are looking at other ways to make money and get their hands on payment card details—for example, by turning to formjacking.

We first published research on formjacking at the end of September 2018, after a spate of high-profile attacks by the Magecart attack group. Among Magecart’s targets were Ticketmaster UK, British Airways, Feedify, and Newegg. One of its more recent targets was British electronics kit retailer Kitronik.

Formjacking is a term we use to describe the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites. It is not a new technique, but in the latter half of 2018, it has garnered a lot of attention due to some large campaigns, many of which have been carried out by Magecart. Recently released research has claimed that Magecart is not just one group—but rather approximately seven groups that are all engaged in similar activity.

When a customer of an e-commerce site clicks “submit” or its equivalent after entering their details into a website’s payment form, malicious JavaScript code that has been injected there by the cyber criminals collects all entered information, such as payment card details and the user’s name and address. This information is then sent to the attacker’s servers. Attackers can then use this information to perform payment card fraud or sell these details to other criminals on the dark web.

In a two-month period, from mid-September to mid-November, Symantec blocked almost 700,000 formjacking attempts—with a clear upward trend visible as we approach the holiday shopping season.

Much as we reported in September, these formjacking attempts target a wide range of e-commerce websites, including a fashion retailer in Southeast Asia, and another in Australia, a U.S. website selling jewelry, and another U.S. store specializing in outdoor gear and equipment. Suppliers of equipment for dentists, and online stores selling gardening equipment, were also among those targeted. These formjacking attempts continue to target a wide range of stores—ranging from small to large retailers in various countries around the world.

We detailed in our previous research how, in some cases, Magecart was using supply chain attacks to gain access to its targeted websites and carry out these formjacking attacks. The Magecart attackers injected malicious JavaScript code into Ticketmaster’s website after they compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites, for example. Magecart was then able to alter the JavaScript code on Ticketmaster’s websites to capture payment card data from customers and send it to their servers.

Dutch security researcher Willem de Groot has discovered since then that Magecart is also exploiting unpatched vulnerabilities in 21 Magento extensions used by online stores to gain access to websites. Magento is an open-source e-commerce platform. Magecart is using a series of URL paths to probe Magento stores in the wild for the vulnerable extensions, and injecting its malicious code into vulnerable websites.

As we approach the holiday shopping season, it is likely that we will see a ramping up of activity from actors out to steal consumers’ payment card details—both online and in retail stores worldwide.

Best Practices for Retailers
Victims may not realize they are victims of formjacking as generally their websites continue to operate as normal, and attackers like Magecart are sophisticated and stealthy and take steps to avoid detection.

Website owners should be aware of the dangers of software supply chain attacks, as these have been used as the infection vector in some of these formjacking attacks. Software supply chain attacks can be difficult to guard against, but there are some steps that website owners can take:

  • Test new updates, even seemingly legitimate ones, in small test environments or sandboxes first, to detect any suspicious behavior.
  • Behavior monitoring of all activity on a system can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.

Producers of software packages should ensure that they are able to detect unwanted changes in the software update process and on their website.

Website owners can also use content security policies with Subresource Integrity tags (SRI) to lock down any integrated third-party script.

Point of Sale

  • Install and maintain a firewall to facilitate network segmentation.
  • Change default system passwords and other security parameters.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update security software.
  • Use strong authentication including two-factor authentication for remote systems.
  • Test security systems, perform penetration testing, and implement a vulnerability management program.
  • Maintain security policies and implement regular training for all personnel.
  • Implement chip-and-PIN technology in your business.
  • Implement system integrity and monitoring software to leverage features such as system lockdown, application control, or whitelisting.

Best Practices for Consumers

  • Monitor your credit card bills so you will spot any suspicious transactions. You could even consider hiring the services of a credit monitoring company.
  • Only shop from well-known, secure websites and stores that are more likely to have good security measures in place. However, even well-known stores fall victim to cyber criminals, so while this may reduce your risk of exposure it doesn’t eliminate it.
Click to comment

Leave a Reply

Your email address will not be published.

Expert Speak

Why You Should Use a VPN While Traveling



According to a survey conducted by NordVPN, 50% of travellers use public Wi-Fi while on the road. However, only 20% of them use a VPN (a virtual private network) to protect themselves while being connected to a public network. “Travelers connect to public Wi-Fi in airports, cafes, parks, and trains. Some even use public computers to print their visa information or flight tickets. A VPN in those cases is crucial if you want to make sure that your vacation will not be ruined by cyber criminals. Nobody wants to lose access to their device or their bank account during a trip to a foreign country,” says Daniel Markuson, a cybersecurity expert at NordVPN.

As International VPN day (August 19th) is just around the corner, Markuson lists all the benefits offered by the service.

Enhanced online security
The main purpose of a VPN is to keep its user’s online connection secure even when they are away from home. Hackers can set up fake hotspots or access unsecured public routers and this way monitor users’ online activity. Once a user is connected, criminals can intercept their internet traffic, infect the device with malware, and steal their victim’s personal information.

When authenticating themselves on public Wi-Fi, users often need to type in their email address or phone number. However, if a user has accidentally connected to a hacker’s hotspot, they could be exposing themselves to real danger.

A VPN hides users’ IP addresses and encrypts their online activity. That means that, even if a user is using a malicious hotspot, the hacker behind it won’t be able to monitor their activity. Therefore, getting a VPN for travelling abroad is essential if you want to stay secure and private online.

Grab the best deals
Depending on the country in which you’re located, the prices for airline tickets, car reservations, and hotels might vary. That’s because businesses know that people in different countries can and will pay higher amounts for certain products and services. If you use a VPN for travel, you can hop between servers in different countries and find the best deals available.

Make the best of additional VPN features
As the industry is evolving, many VPN providers add new features to make their users’ experience even more wholesome. NordVPN, for example, recently added the Meshnet feature that lets travellers connect to other devices directly no matter where in the world they are. This enables users to form a remote connection with their home or office PC from anywhere in the world to share files or for other uses.

However, having said that, please check local laws and regulations about using VPN services on your devices, before you do.

Continue Reading

Expert Speak

Social Media Data Leaks Account for 41% of All Records Breached



Written by Edward G, Cybersecurity Researcher and Publisher at Atlas VPN

Social media is quickly turning into a primary security weak point. A single data breach within one of the major social media networks can result in millions of records being stolen. Within the past few years, we have seen multiple large-scale data breaches involving companies like Facebook and Twitter. Yet, we rarely see the bigger picture.

Luckily, data presented by Atlas VPN gives insight into the scope of the issue. It turns out that 41% of all compromised records in 2021 originated from social media data leaks, which is a significant upsurge compared to 25% in 2020. The data presented is based on the 2022 ForgeRock Consumer Identity Breach Report, which gathered data from various sources, such as 2021 Identity Theft Resource Center, IBM Ponemon, TechCrunch, Forrester Research, as well as UpGuard, and IdentityForce.

A few other factors make social media a security weak point within the current online landscape. First, criminals can prey on business clients by posing as the company in order to obtain credentials. This is becoming especially prevalent since companies increasingly use social networks to communicate with customers.

Second, fraudsters frequently attempt to infiltrate businesses by leveraging mutual connections, which create a false sense of security. Moreover, people who overshare on social media make it simple for thieves to locate personal information that aids in company breaches.

Besides social networks, another major source of leaked information is the retail sector, which accounted for nearly a quarter of all records breached in 2021. According to the U.S. Department of Commerce Retail Indicator Division, e-commerce sales increased by 50% during the pandemic. Retail data breaches increased in frequency and severity during the same period.

While the average cost of a retail breach was $2.01 million in 2020, it increased by 63% to $3.27 million in 2021. Customer credit card, payment information, and personal data were the principal targets of retail data breaches. E-commerce websites and applications sometimes skip security precautions like two-factor authentication (2-FA) as they seek a simple user experience.

When the enormous volumes of personal data that retail websites collect are not adequately protected, it creates the ideal environment for breaches and subsequent fraud. Finally, the healthcare sector is worth mentioning with only 1% of records, yet, at the same time, the information leaked is usually particularly sensitive.

Data compromised from healthcare institutions tend to include name, address, SSN, date of birth, and, in two-thirds of the breaches, actual medical history information. With this information in hand, cybercriminals can blackmail companies or even particular individuals.

To round up the findings, it’s obvious that retail and social media companies should go the extra mile in securing their customer information. In addition, even though healthcare providers leak only a fraction of the data, they should still safeguard their client data with particular care due to the sensitive nature of the information.

Some services offer data breach monitoring tools. Data breach monitors track any data breaches related to your online accounts. It automatically scans leaked databases and informs you of any past or recent breaches where your personal information was exposed.

As always, we must mention the most effective countermeasure against data leaks. It is advised to enable multi-factor authentication on all of your accounts that offer the functionality. This way, even if your credentials are compromised, threat actors will not be able to access your account unless you lose your phone, and it is also found by ill-meaning individuals, which is less than likely.

Continue Reading

Expert Speak

Airline and Booking Services Scams Intensify at the Height of the Holiday Season



Vacation season is well and truly upon us, and travellers around the world are looking for interesting places to go, cheap places to stay and reasonably priced flights. And scammers are here to give them what they need — well, sort of. Kaspersky researchers have observed intensified scamming activities, with numerous phishing pages distributed under the guise of airline and booking services. To help travellers avoid scams, company researchers share some of the most widespread fraud schemes used to lure victims as well as helpful tips on how to plan a safe, scam-free, vacation.

Fake Ticket Aggregators
Most trips start with a plane or train ticket, and travel enthusiasts are often interested in getting their hands on a bargain. Kaspersky experts have seen numerous fake websites claiming to offer users the chance to buy aeroplane tickets at cheaper costs. Such websites are usually well-made phishing pages that mimic famous airline services and air ticket aggregators. Some of these websites even display the details of real flights, with experienced phishers sending search requests to flight aggregators and displaying the information received from them. However, instead of delivering on promised flight tickets they keep your money and use your personal information for malicious purposes (e.g. selling your bank details and identifying information on the dark web).

Fake Lotteries for Discounted Tickets
There are also plenty of fake pages attempting to lure travellers with aeroplane ticket draws, lotteries and gift cards. Users are offered the opportunity to take a small survey and enter their personal details in exchange for a generous discount on a flight ticket. As with many other offers that seem to be too good to be true, such websites end up being phishing sites, collecting victims’ personal information and card details.

On top of this, the survey usually ends with a request to distribute the site among friends to receive the prize. In such cases, cybercriminals are using the victims themselves as a tool for spreading the scam further. A link sent by people you know seems more trustworthy than one received from a stranger. If the user then follows the link and tries to get their prize, they often find they need to pay a commission or fee first. After this money is paid, the cybercriminals disappear – without rewarding the user.

Fake Rentals
Another popular tactic used to scam travellers is fake rental services. One example includes the offer of a luxury two-bedroom apartment close to the centre of a European capital for just €500 a month. Another seemingly appealing offer is for the rental of an entire four-bedroom house with a pool and fireplace for only €1,000 for the whole month. The reviews describe amazing vacations and hospitable hosts. This encourages users to pay for their month-long stay, but in reality, they end up sending their money to fraudsters.

“Planning a vacation is not easy. People can spend weeks, even months, looking for the perfect place to stay and the tickets to get them there. Fraudsters use this to lure users that have grown tired of searching for great deals. After two years of flight restrictions imposed by the pandemic, travelling is back. But so are travel scams – with intensified scamming activity targeting users through fake booking and rental services. Such attacks are totally preventable, which is why we urge users to be sceptical about overly generous offers. If an offer seems too good to be true, it probably is,” comments Mikhail Sytnik, a security expert at Kaspersky.

To keep yourself protected while planning a vacation, Kaspersky experts recommend:

  1. Carefully look at the address bar before entering any sensitive information, such as your login details and password. If something is wrong with the URL (i.e. spelling, it doesn’t look like the original or it uses some special symbols instead of letters) don’t enter anything on the site. If in doubt, check the certificate of the site by clicking on the lock icon to the left of the URL.
  2. Only book your stay and tickets through the trusted websites of trusted providers. Ideally, type the address of their website manually in the address bar.
  3. Not clicking on links that come from unknown sources (either through e-mails, messaging apps or social networks).
  4. Visiting the business’ official website if you see a giveaway offered in e-mail or on social media by a travel company or an airline to confirm the giveaway exists. You should also carefully check the links the giveaway ad leads you to.
  5. Using a good security solution that can protect you from spam emails and phishing attacks. We recommend Kaspersky Security Cloud.
Continue Reading

Latest Reviews

Follow us on Facebook