In our ongoing "game of cat and mouse" with cyber criminals, our Threat Intel Group has had an interesting year so far. Aside from the steady flow of eCommerce site investigations involving the standard Magecart-type skimmers, a "collection" of new types of malware have been identified, documented, "fingerprinted" and loaded into our technology to help defend our clients globally.
Here's a high level breakdown of the new malware fingerprints added in the last 9 months:
- Skimmers: 58%
- Loaders: 12%
- Backdoors/Webshells/File Uploaders: 30%
The Growing Trend Towards Stealthy eCommerce Malware
Interestingly - and unsurprisingly - there is a growing trend towards use of increasingly stealthy tactics to conceal skimmers, such as:
- Malware targeting specific parts of the checkout process - making it very challenging, if not impossible in many cases, to identify with an external scan.
- Skimmer code with "randomisation" added to the mix (ie skimmer code that does not launch on every transaction, making it harder to detect).
- Obfuscation/Encryption of files - innocuous and heavily encoded files that look like trusted files.
- Appending malware to trusted files (Google Tag Manager is a popular one) and so on.
We've been observing this "stealth" trend developing for the last 12+ months and, from our perspective, it is a logical evolution for the plethora of more easily detected "Magecart-like-malware" that have been victimising poorly secured websites over the last few years.
While the numbers of hacked sites with card harvesting malware remains high, these more stealthy approaches provide the criminals with a much longer "dwell time" within the website, enabling the harvesting of significantly more PII/payment data from the website's customers.
How to Defend Against These Attacks
In most cases, the criminals target poorly secured sites - or what is known as the "low hanging fruit" - quick and easy to hack into and plant the skimmer code. The best way to avoid being targeted is to have basic security controls in place:
- Hide your Admin Panel - of the 4,116 Magento (1&2) sites currently hacked and infested with 9,364 different types of malware, over 25% have an exposed Admin panel sitting in the default location. This makes a brute force attack simple to automate for a criminal. If you move the Admin login to a discrete URL - and restrict access to the URL to a limited number of trusted IP addresses - it will be much harder to find and will make breaking into your site a lot more difficult.
- Individual User Accounts - make sure each user has their own account and log access and changes made by each user. If an account gets compromised, being able to identify the changes made is a key step in quickly limiting damage to your business and rolling back the changes to eliminate / "nuke" the malicious code.
- 2 Factor Authentication - each user should have their own set of credentials (username and password) and a 2nd form of authentication - try Google Authenticator, as an example. Simple to implement, low/no cost, yet HIGHLY effective against brute force attacks and credential compromises.
- Update Your Software - when a software solution issues a security patch, the security vulnerability is usually well documented and publicly available. In other words, there is likely to be a well documented, "paint-by-numbers", guide on how to exploit the vulnerability. This means that if you're slow to apply the patch, you're an easy target and should expect problems.
- Monitor Your Website's Security Posture - use ThreatView to get proactive with your website security - it will tell you where you have potential weaknesses. ThreatView Community is free - you can access it here: www.foregenix.com/threatview. It utilises all of our latest threat detection capability to scan your website externally.
The evolution of criminal tactics is inevitable - and we're seeing this in our forensic cases - getting proactive about your website security is not difficult, or expensive, and could make a significant contribution to the success of your business.