3 Web Third-Party Related Events: May-June 2020
As always, we are working day and night to bring you the top 3 news picks related to third-party risks on websites. In this post we will review the “new trend” of ongoing attacks that remain undiscovered. We will also refer (yeah, once again) to the growing use of sophisticated “self destructing” web-skimming attacks and, to the question we are all asking: Was EasyJet Breached by a Client-Side Attack? Read on!
Claire’s and InterSport’s 49 days breach is a living proof why the time is so critical!
As is usually the case, Magecart hacks are detected way too late. This time the incident affected Claire’s, one of the biggest retail chains globally and the sporting retailer Intersport.
Their websites were breached by hiding a malicious code to perform web-skimming. As in previous cases, the purpose was to record and steal the credit card details that shoppers enter on the checkout forms.
Unfortunately for many online retailers, Magecart type attacks remain undetected for long periods of time. In May 2020 the UK e-tailer Páramo revealed that it was branched. This time it was an 8 months attack, affecting 3,743 people whose full card details were stolen. Other examples, but definitely not the only ones, are the KandyPens attack which lasted 343 days without being discovered and British-Airways mega-hack that lasted “only” 15 days.
The lesson from these severe incidents is clear: Every second counts! Websites should do more to decrease the Time to Detect’. The more time an attack lasts, the more personal records are leaked.
Read the original article by Catalin Cimpanu, ZDNet: Web skimmers found on the websites of Intersport, Claire’s, and Icing
Self-destructing Skimmer. Well, again!
The frequency of such attacks is growing and this is definitely something we should all be aware of. One of the latest incidents involves payment card data theft from the customers of Greenworks hardware tools website. The hackers used a malicious script which is described by Bleeping Computer as “self-cloaking capabilities and anti-tampering protection”. According to research that was recently published on Bleeping Computer, the attackers injected an empty element to the footer to form a layer for the whole checkout page. To activate the skimmers while users moved their mouse on the page, the attackers have created an event referred as “on-mouse-over”. Removing the DOM element is another methodology to hide tracks and staying hidden. These sophisticated techniques are helping attackers mask their traces from most automated security tools and avoid detection.
This latest example is showing us just how hard detection of such web skimming events can be.
Read the original article by Ionut Ilascu, Bleeping Computer: Self-destructing skimmer steals credit cards of Greenworks customers
Was EasyJet Breached by a Client-Side Attack?
Easyjet informed the UK ICO that around 9 million email records and thousands of credit card details were extracted in a “highly sophisticated breach”. The attack was first discovered in January, but was only published after all the EasyJet’s customers have been informed.
While the technical aspects of the attack are yet to be disclosed, it is suspected that the EasyJet breach is a web-skimming attack that is designed to extract airliners sensitive private data. If it is proven that EasyJet is accountable, the company could face up to £18 billion class-action lawsuit filed on behalf of the impacted customers.
EasyJet incident occurred nearly two years after the notorious British Airways breach, which included more than 380,000 personal records, which later resulted in a $230M fine by the ICO. The risks of client side attack and the long time-to-detected is crucial when it comes to fine.
Read the original announcement by EasyJet
Read more about EasyJet, on Zack Whittaker‘s article, TechCrunch: EasyJet says 9 million travel records taken in data breach