Saturday, December 7, 2019

Trend Micro reveals that Magecart group sets sights on Smith & Wesson, other high-profile stores

Trend Micro announced this week that the infamous credit card-skimming group Magecart has struck again. After incidents in the past few months that saw the threat actor go after customers of online shops and hotel chains, the group has set its sights on a new set of targets: high-profile stores, including firearms vendor Smith & Wesson (S&W).


According to security researcher, Willem de Groot of Sanguine Security, threat actors took advantage of the Black Friday rush by injecting credit card skimmers into the sites of a number of high-profile stores such as S&W. The group behind the attack injected the skimmer into S&W’s website on Nov. 27 — a couple of days before Black Friday, most likely in anticipation of the high volume of traffic going to the website. Note that the skimmer has been removed from the S&W store as of the time of writing.

The skimmer features an impressive list of capabilities, such as reverse engineering, a three-stage loader, and multiple layers of JavaScript obfuscation to hide its tracks. When a user visits the compromised website, the command-and-control (C&C) server initially sends harmless code — up until the actual payment process, when the skimmer begins its malicious routine. 


To make the skimming attack look more legitimate, a fake payment confirmation code is presented to the user. Behind the scenes, however, malicious code is already running, sneakily exfiltrating customer data such as payment information to the C&C server.

Sanguine Security notes that these attacks only worked for users which met various criteria, including using U.S.-based IP addresses, using non-Linux-based browsers, and not using the AWS platform.

The rise of Magecart highlights the need for vendors and other organizations to properly secure their websites and applications. Data theft via an attack such as the ones regularly performed by Magecart can mean monetary losses, not only for customers but also for the company whose website or application was compromised, especially given the potentially steep fines meted out to violators of data privacy laws such as the General Data Protection Regulation (GDPR).  


Organizations can minimize the chances of compromise by consistently applying the newest patches and updates to the software they use and by shoring up the authentication mechanisms provided to customers. Furthermore, it is recommended that IT and security teams proactively monitor their websites for any sign of malicious activities, such as unauthorized access or data exfiltration.

No comments:

Post a Comment

Masimo secures FDA clearance for neonatal RD SET Pulse Oximetry sensors with improved accuracy specifications

Masimo announced that RD SET sensors with Masimo Measure-through Motion and Low Perfusion SET pulse oximetry have received FDA clearance ...