Article contributed by members of Cyderes’ Special Operations team, Matt H., Jatinder S., Israel P., and Shelby K.
Nearly 13% of all retail sales in the United States occur between Black Friday and Christmas, generating an estimated $30 billion in sales – and roughly two-thirds of these sales occur on Black Friday and Cyber Monday alone.
Although cyber week sales generate huge profits for many retailers and ecommerce businesses, this period is also a prime target for hackers looking to capitalize on this surge in online shopping. Cyber threats increase nearly 50% during this period, making online retailers more susceptible to security threats like digital skimming, MageCart, ransomware, and more.
Read below for insights on the types of cyber threats that often increase around the holiday, along with defensive recommendations for keeping your enterprise protected from these attacks.
Digital skimming, also known as web skimming, occurs when a threat actor injects malicious code into an ecommerce website. This code is used to extract payment information from unsuspecting visitors and silently relay relevant payment information to adversary-controlled infrastructure. The stolen credit card information is typically sold via underground and/or dark-web marketplaces or used to fund other malicious activities.
As shopping continues to move to online platforms, there have been increasing levels of digital skimming attacks of lower sophistication due to the proliferation of easy to use, commodity “skimming kits” and “Skimming-as-a-Service” hacking services, which have become readily available for cheap purchase within online hacking communities.
Analysis of adversary behavior related to digital skimming-based campaigns continues to demonstrate that “MageCart” attacks – the umbrella term for sophisticated adversaries focusing on this method of financially motivated cybercrime, consisting of at least a dozen or more separate threat actors – remains a persistent threat to owners of commerce web applications. In 2021 alone, MageCart infections were responsible for the loss of approximately 96 million cards across over 8500 organizations[1], demonstrating how impactful attack this attack methodology is against ecommerce targets. To date, there have been upwards of tens of thousands of organizations which have fallen victim to MageCart attacks on their platforms.
MageCart groups have even further contributed to the advancement of the global digital skimming threat landscape by providing the tools used during their attacks for direct sale, or as a service to be used against desired targets for a price. The Inter skimming kit created by MageCart developers is one such example. Inter has been notoriously associated with facilitating a relatively “low bar of entry” for would-be threat actors[2]. MageCart has made the tool available for purchase by other threat actors since at least 2018. Inter customers can either acquire Inter for $1300 or enter a 30/70 profit-sharing arrangement with the creators of the tool. And, in fall of 2022, MageCart operators have begun selling another MageCart exploit kit, TrojanOrders.
In late January 2022, a surge of MageCart-style breaches occurred against organizations running Magento 1 ecommerce platform occurred. Despite Magento 1 reaching end of life as of June 30, 2020, over 500 web stores that were still running the platform were compromised by a singular threat group.
By combining a SQL Injection and a PHP Object Injection, the adversaries abused a “[known vulnerability] in the QuickView Magento plugin…to run [adversary crafted code directly on the [Magento] server” (T1190 – Exploit Public-Facing Application)[10], [11]. With these privileges, the attackers added a validation rule which tricks the host application into crafting a malicious object, containing “a simple [eval-based] backdoor” to inject its code into the Zend_Memory_Manager and Zend_CodeGenerator_Php_File Objects[10]. The exploit is then triggered by any user browsing the new-user sign-up page of the impacted Magento server. After the exploit is triggered, the adversaries added code which displays a fake payment popup that POSTs the entered credit card data to a singular adversary-controlled domain: naturalfreshmall[.]com[10].
Then, by mid-February, Adobe published APSB22-12, an out-of-band emergency Security Bulletin for Magento 2[12]. Adobe announced the existence of exploited-in-the-wild vulnerabilities (CVE-2022-24086, CVE-2022-24087) existing within the Magento 2 Open Source and Adobe Commerce platforms and provided their security updates. The vulnerabilities have a CVSS base score of 9.8 and a CVSS3.1 String of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H[12]:
Systems impacted by the vulnerability contain software components with insufficient input validation mechanisms (CWE-20)[13]. If exploited, the vulnerabilities enable an unauthenticated, remotely-located actor to execute arbitrary commands on a vulnerable web server (T1190 – Exploit Public-Facing Application). By September 2022, at least three separate attack methodologies weaponizing these vulnerabilities had been identified in a “surge of Magento 2 template attacks” on unpatched Magento 2 servers[14].
In the first method, an adversary creates a new customer account with the first and last name fields consisting of encoded adversary-crafted code. Then, when the adversary goes to the checkout page to finalize an order, a new table record is created containing the injected code. This code subsequently runs Linux terminal commands directly on the impacted server that downloads and executes a Linux-specific Remote Access Trojan (RAT) from adversary-controlled infrastructure. Then, the RAT intermittently polls remote adversary-controlled domains for commands (T1140 – Deobfuscate/Decode Files or Information, T1105 – Ingress Tool Transfer)[14], [15].
The second method is a slight variant of the first method, wherein threat actors inserted malicious code into the VAT field of an adversary-created order instead of the first and last name fields. After submitting the order, another “eval-based backdoor” is deployed onto the impacted server, this time into /pub/media/health_check.php/. And, in the final method, the threat actors injected their code into: generated/code/Magento/Framework/App/FrontController/Interceptor.php, which is used to deploy the eval-based shell[14].
As of November 2022, it was observed that at least seven MageCart groups are actively exploiting CVE-2022-24086, and an exploit is being sold under the name of “TrojanOrders” for sale by adversaries on underground hacking forums[16]. This increase in MageCart style attacks at this time may strongly be correlated with the increased volume of online shopping occurring during the holiday season.
For more cybersecurity tips, follow Cyderes on LinkedIn and Twitter.
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.