itman 1,805 Posted February 21, 2020 Posted February 21, 2020 (edited) First a recent reference article: Credit Card Skimmer Found on Nine Sites, Researchers Ignored Quote Security researchers discovered a new batch of nine websites infected with malicious JavaScript that steals payment card info from online shoppers. Some of them were infected a second time and the script persisted, despite efforts from the researchers to contact the website owners. The script is attributed to MageCart Group 12, as per extensive analysis from RiskIQ a threat actor that is changing tactics as their tricks are being published in security reports. https://www.bleepingcomputer.com/news/security/credit-card-skimmer-found-on-nine-sites-researchers-ignored/ So I decided to test Eset on detection capability. Per the linked article, picked one of the infected sites - Bahimi swimwear shop - first infected in November, 2019, the skimmer is still there today. Attempted to order something here: https://bahimi.com/gbp/checkout/onepage/ . Eset immediately detected the card skimmer: Edited February 21, 2020 by itman peteyt and fabioquadros_ 2
Most Valued Members Nightowl 206 Posted February 22, 2020 Most Valued Members Posted February 22, 2020 23 minutes ago, itman said: First a recent reference article: Credit Card Skimmer Found on Nine Sites, Researchers Ignored https://www.bleepingcomputer.com/news/security/credit-card-skimmer-found-on-nine-sites-researchers-ignored/ So I decided to test Eset on detection capability. Per the linked article, picked one of the infected sites - Bahimi swimwear shop - first infected in November, 2019, the skimmer is still there today. Attempted to order something here: https://bahimi.com/gbp/checkout/onepage/ . Eset immediately detected the card skimmer: Yes , it's a JS script loaded in the website
itman 1,805 Posted February 22, 2020 Author Posted February 22, 2020 (edited) Also in fairness it should be noted that Eset might have issues with obfuscated JavaScript magecart attacks. I believe the web site I tested was not using an obfuscated JavaScript. -EDIT- Appears Eset needs to sandbox browser based JavaScript's and run them outside of the browser. As I understand it, browser scripts are not scanned by AMSI since they are run via the JavaScript .dll within the browser. Eset failed the magecart simulator test for the the most recent Malware Research Group On-line Banking Protection certification: Quote Simulator test results The methodology behind these attacks was simple and similar: Injecting a malicious obfuscated JavaScript code into the website’s checkout pages and listening for an event,for example,when the user clicks on the “Pay” or “Place Order Now” or a similar button (event hijacking). When this event happens, the malicious code sends the credit card data to the attackers’ servers. In our test we simulated this attack. We implemented our obfuscated malicious JavaScript code based on the Newegg and British Airways cases and injecting it into a test webstore which was built by us. The code behavior and the obfuscation technique are exactly same as in the real-world examples: when the user fills out the credit card data and presses the “Place Order Now” button,the data is sent to our servers. https://www.mrg-effitas.com/wp-content/uploads/2020/01/2019_Online_BankingQ4.pdf Edited February 22, 2020 by itman
Recommended Posts