Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

No Honor Among Thieves: Card Skimming Gangs Turn on Each Other

No Honor Among Thieves: Card Skimming Gangs Turn on Each Other

As a callback to my blog about IoT malware authors turning on each other to compete for computing resources, this hilarious trend is also making its way into the credit card skimming underworld.  Bone broth and neck thickening cream connoisseurs were disappointed to learn that Alex Jones’ InfoWars.com website had Magecart credit card stealing malware embedded in it.  Similar effects were felt at high-profile targets such as British Airways (BA) and Ticketmaster where 380,000 and 40,000 customers respectively, trying to buy airline travel or concert tickets were subject to getting their payment details stolen.  Although just a fraction of victims compared to the high-profile Target and Home Depot credit card breaches, the Magecart malware remained undetected for weeks despite all of the security controls in place at BA and Ticketmaster.  Did these companies not learn from these attack campaigns?  That begs the questions what and who is Magecart?

To take a step back, credit and debit card data is traditionally stolen by physical devices attached to Automatic Teller Machines (ATMs), gas pumps, and Point of Sales (POS) devices.  These devices are placed over the actual credit card reader and captures the payment card details when a customer inserts his or her card into the legitimate reader.  (Security pro tip: pull hard on the card reader at an ATM or gas pump.  You may look dumb if you’re wrong, but card skimming devices are often not physically secured well and you may find one in the wild)  This data is monetized by selling credit card numbers in bulk on underground websites (often only accessible through TOR, to protect anonymity) called carding forums.  One such famous carding forum ShadowCrew, created by infamous hacker Albert Gonzales of TJX and Heartland Payments breach fame, features seller accounts, review capabilities, and how-to tutorials.  A seller’s reputation and sales depend on providing high quality stolen data with a low number of invalid cards.  If too many purchased cards are invalid, incomplete, or already cancelled, buyers will report negative feedback and that seller’s sales will drop.  

An ATM skimmer with a fake card reader over the real card reader

An ATM skimmer with a fake card reader over the real card reader

The entire front fast of this POS terminal is replicated to steal data from the magnetic strip as well as the PIN from the keypad

The entire front fast of this POS terminal is replicated to steal data from the magnetic strip as well as the PIN from the keypad

The most outrageous example: the full front face of an ATM is replicated and installed to steal card and PIN information

The most outrageous example: the full front face of an ATM is replicated and installed to steal card and PIN information

Magecart is a hacking group responsible for creating a digital version of these traditional payment card skimmers.  Magecart attacks have been around for at least three years, but have only gained popularity as of recent.  Embedded malicious JavaScript on BA’s, Ticketmaster’s, and Info Wars’ websites or those belonging to third-party affiliates would cause a copy of the customer’s payment details to be sent to a rogue server before being sent to the legitimate web server to complete the purchase.  Illicit access to the website’s control panel or compromised e-commerce site is often obtained through brute force techniques, social engineering, zero day exploit, or classic phishing attacks.  Once compromised, the malicious JavaScript is inserted and the attackers sit back, relax, and watch the payment card data roll into their server.  In the case of a highly targeted attack against British Airways, attackers registered the domain baways[.]com to act as command and control and to receive the stolen payment card details.  The attackers even purchased a Comodo SSL certificate for their website instead of using a free one from Let’s Encrypt to make the server appear more legitimate.  Compromised websites were previously used to spread cryptominimg malware (cryptojacking), but with the recent drop in cryptocurrency prices, traditional carding has again become more attractive.  

Website baways is classified as a malicious URL by Zscaler’s URL categorization service.

Website baways is classified as a malicious URL by Zscaler’s URL categorization service.

Payment card theft, like compromising insecure IoT devices is a zero-sum game.  If Group A compromises Acme Corporation’s website to steal payment card details from their customers, Group B compromising Acme’s website will get the exact same payment card information as Group A.  When attempting to monetize these compromised payment card numbers by selling them on carding forums, the stolen payment card numbers will be worth significantly less since there will be duplicates and have a higher chance of being discovered and cancelled.  It is in a group’s best interest to lock out other groups from stealing their stolen data to protect the integrity of the stolen data.  

Groups competing for the same data

Groups competing for the same data

In a sure sign that shows Magecart attacks are gaining maturity, hacker groups are now targeting each other and sabotaging rival groups’ code. With the proliferation of the card skimming code (now commonly known as Magecart malware) being widely available and skimming-as-a-service popping up, it is inevitable that the card skimming space will soon become crowded.  One Magecart group kept a rival group’s skimming code intact, but hilariously altered their malicious JavaScript to randomly generate the last number of the payment card number before sending it to the collection server.  Deleting or blocking the rival group’s code would immediately tip them off that something is wrong.  By poisoning the data instead of deleting it, the unsuspecting "victim” group would still receive payment card numbers, but about 90% of them would be invalid, angering buyers and destroying their reputation on underground carding forums.  Once notified, the victim group could re-modify their code to fix it and kick out the other gang or simply perform a lunh check on the payment card data.  

victim dr evil.jpeg
someone stole the stuff.jpeg

In the spirit that attacks never get worse, they only get better, Magecart and digital card skimming software will continue to proliferate and become more sophisticated.  Citing macroeconomic factors with the drop in cryptocurrency prices, hacking groups are turning their attention to other low hanging fruit such as digital card skimming.  Easy access to the malicious code only exacerbates the problem.  According to Fortune, US Black Friday 2018 e-commence sales jumped 23.6% compared to 2017 making digital card skimming a target rich environment with an increasing total addressable market.  Of note, almost 30% of US Black Friday 2018 sales were done from smartphone devices, which typically do not contain the same security controls as laptop and desktop PCs.  

While from a security research perspective, it is hilarious to watch the drama unfolding as rival hacker groups compete with each other, we cannot simply "Give 'em guns step back watch 'em kill each other”, as famous lyricist Tupac Shakur once opined.  Innocent customers are betting caught in the crossfire and at the end of the day, someone’s payment card details are being stolen and sold.  In 2016, Identity theft and credit card fraud cost consumers, banks, insurers, and merchants over $16 billion in the US alone. Until companies are held more accountable to protecting their customers’ data by securing their systems and those of their reliant third parties, it’s up to the customers to keep their data safe.  

A sad, but true headline that nothing of serious consequence happened to any insiders at Equifax after the worse breach in history

A sad, but true headline that nothing of serious consequence happened to any insiders at Equifax after the worse breach in history

Thankfully, there is a measure consumers can do to protect themselves against malicious JavaScript hiding in normally reputable websites such as British Airways, Ticketmaster, and Info Wars.  Security solutions that perform security simply using DNS or solutions that necessarily trust reputable websites for performance considerations are inadequate to block these digital card skimming attacks.  A full web security proxy with SSL Inspection is required to scan every element on a webpage and every byte of data to ensure no malicious JavaScript is being invoked.  If a compromised payment website attempts to connect to a command and control server, a web proxy will be able to detect and block that as well.  Malware communicating with a command and control server utilizing an IP address instead of a hostname will bypass any type of DNS-based security control.  The Sarbanes-Oxley act gives the US government power to jail a CFO if systemic accounting irregularities occur under his or her watch.  Until we get a cybersecurity equivalent where executives responsible for lax security are put in handcuffs, expect the digital card skimming problem to get much worse.

Security proxies can block Cross-Site Scripting (XSS) and malicious JavaScript

Security proxies can block Cross-Site Scripting (XSS) and malicious JavaScript

I WANT YOU: Viral Marketing Campaign Spawns New Crime-as-a-Service

I WANT YOU: Viral Marketing Campaign Spawns New Crime-as-a-Service

VirusTotal Gains Powerful New Ally in Fight Against Nation State Attackers

VirusTotal Gains Powerful New Ally in Fight Against Nation State Attackers