3 Web Third-Party Related Events: August-September 2020
As the end of 2020 is approaching, we see more evidence of the rising risks relating to installed third-party apps running on websites. In this month’s top 3 events we will review the 102-day Warner Music Group breach, how web skimmers were able to use Telegram, and the most interesting UltraRank threat actors that have been using JS sniffers since 2015 without actually being discovered. Read on!
Why You Should Carefully Watch Your Service Providers and Their Third-Party Codes
A closer look at Warner Music Group 102 Day Magecart Type Attack
In late August 2020 Warner Music Group (WMG) officials disclosed a data breach, which affected the company’s online stores in the United States, which were all operated by a third-party service. Though it wasn’t WMG who operated the online stores directly, the accountability and reputational damage are attributed to the company itself. No matter how you look at it, a third-party is YOUR party.
Warner Music Group August 2020 data breach official notice
What happened? According to the WMG’s official Notice of Breach sent to California’s Attorney General office, the attack occurred between April 25, 2020 and August 5, 2020.
Affected information – The entertainment giant also disclosed that the data breach itself impacted customers’ both personal and sensitive financial data that was entered into the affected website(s) the company worked with. The attackers stole the information after customers were placing item(s) in their shopping carts.
What can we learn from this incident? Though the case is still under investigation, it is another example of the growing threat coming from Magecart type attacks and web-skimmers. But in WMG case, it also emphases why enterprises, like Warner, cannot avoid taking security measures to control external entities that operate online services on their behalf. Eventually, no matter if it is you or your vendors, the accountability is all yours!
Source: Warner Music Group data breach official notice, published on State of California Department of Justice website
Suggested reading, ZDNet: Warner Music discloses months-long web skimming incident. Magecart hacker gangs strike again! by Catalin Cimpanu
Is your online store ready for Black-Friday?
Contact us to avoid Magecart type attacks before they happen
How Web-Skimmers Are Using Telegram to Steal Sensitive Information from Your Customers
Web-Skimming is undoubtedly one of the most evolving risk landscapes in recent years. Not only because of the growing volume of attacks, but also because of new levels of sophistication and creativity.
A recent Malwarebytes report indicates that a new credit card skimming campaign is now using Telegram to deliver the stolen payment details to the attackers.
Why did attackers use Telegram to deceive security controls? The simple answer is that the offenders wanted to prevent web security controls from detecting them. In this case, instead of delivering the data to an external domain, they used a dedicated Telegram channel, using its bot ID, API and Base64 encoding. Once the information reached the channel, it then transferred to the criminal groups. The advantage of using a Telegram channel allows the attacks to use known and common domains that should not be detected as malicious by security controls. Communication to telegram is considered legitimate by many websites and therefore might be ignored by security perimeters.
What can we learn from this case? As a website owner, you must maintain full control of anything that is installed and running on your website. Most third-parties come from different external domains and for that, you must monitor these domains and the third parties that are using them, detect anomalies and malicious activities.
Sources: MalwareBytes Blog; The case itself was first mentioned by the security researcher @AffableKraut who published through a series of tweets.
UltraRank Group Compromised 691 Online Stores and 13 Third-Party Suppliers for Over 5 Years
A recent detailed report from Group-IB security researchers, identifies a cybercriminal group dubbed UltraRank. The cybercrime group is held responsible for an ongoing series of attacks, using sophisticated JS sniffers and compromising hundreds of online stores.
By the beginning of February 2020, the researchers detected at least 5 websites that were hacked. All were created by The Brandit Agency, a marketing firm that also builds websites, using Magento ecommerce platform. All websites were also infected with a malware, which was downloaded from the same host – toplevelstatic[.]com.
The attacks kept going, in June 2020 Block & Company, the largest manufacturer and distributor of cash handling products in North America, was also compromised. Once again, the website ran on Magento CMS. The injected JS sniffer code was loaded from the same host: toplevelstatic[.]com, the one that was used for the previous attack on The Brandit Agency.
The use of the same domain makes it easy to detect. And it seems like the attackers are solely targeting Magento CMS as their inside vector.
What can we learn from the UltraRank case? First, Magecart should be referred to more as methodology, as it is attributed to various forms of attacks, as well as different threat actors. Second, once again, we notice how the supply-chain attack surface works. It starts with one vendor (for example the Brandit Agency). The vendor is hacked and injected with malicious JS, impacting its clients’ websites. This eventually led to the data breach.
The target CMS, Magento, should be updated on a regular basis, as it’s still one of the most targeted platforms, globally. In many cases we detect such anomalies after the website is compromised. But what can you do in order to stay ahead of it? Well, visit our ecommerce page and read a little bit more, that’s a good start!
Source: UltraRank Report by Group-IB – https://www.group-ib.com/resources/threat-research/ultrarank.html
Suggested reading, Bank Info Security: UltraRank’ Gang Sells Card Data It Steals by Scott Ferguson, Chinmay Rautmare