Skimmers, Infostealers Targeting E-Commerce

Scams

June 15, 2024

A growing number of cyberattacks were discovered targeting retailers and online consumers as summer sales heat up. Though the holiday season remains the most profitable time for retailers, sale events are often launched in the slower summer months to increase revenue. Consumers often take advantage of these summer sale events including semi-annual sales; Independence, Memorial, and Labor Day sales; Father’s Day and graduation gifts; back-to- school sales, and Christmas in July sales. Akamai researchers identified a new, large-scale, Magecart-style web skimming campaign, designed to steal personally identifiable information (PII) and credit card information from e-commerce websites. Distinct from traditional Magecart campaigns, however, this campaign uses new techniques to hijack legitimate commerce websites in order to serve as improvised command-and-control (C2) servers, using the host victim’s website to further facilitate malicious code distribution.

Cybercriminals use various evasion techniques during the campaign, masking the attack to resemble popular third-party services and allowing it to go undetected for over a month. This attack may potentially exploit known vulnerabilities found in websites’ digital commerce platforms such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third- party services used by the website. These attacks cannot be detected by popular web security methods, such as web application firewalls (WAFs), and are executed on the client side, prolonging the attack. This may result in tens of thousands of victims and damage the reputations of victimized organizations. Additionally, consumers’ PII and credit card information are at risk of being stolen or further sold on dark web forums.

Threat actors are also targeting online sellers in a new phishing campaign to distribute Vidar information-stealing (infostealer) malware. They impersonate a customer of an online retailer claiming that they were charged a large dollar amount after an alleged order did not go through. These complaints are sent to online store administrators via email or website contact forms and contain a link to a fake Google Drive page that prompts the user to download a malware-laden PDF file. Threat actors target online sellers to steal admin credentials in order to gain access to eCommerce websites and facilitate further cyberattacks.

Infostealers are remote access trojans (RATs) designed to gather information from a system. Infostealers gather login information, like usernames and passwords, and are frequently used to further facilitate ransomware attacks. The NJCCIC and other cybersecurity firms have indicated a steady increase in attempts to distribute infostealers, such as Redline Stealer, Vidar, and Raccoon Stealer. Vidar is capable of stealing browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and capturing screenshots of the active Windows screen. Redline Stealer is a powerful data collection tool, capable of extracting login credentials from a wide range of sources, including web browsers, FTP clients, email applications, Steam, instant messaging clients, and VPNs. Raccoon Stealer steals personal information, including email addresses, identification numbers, bank account information, and cryptocurrency information. Cybercriminals can use this stolen information to commit identity theft, financial fraud, and other crimes.

The NJCCIC recommends online retail customers minimize their risk of data exposure by using electronic payment methods, virtual cards, or setting charge limits to their credit cards. Online customers are encouraged to use credit cards over debit cards when shopping online as they often have better consumer fraud protections. Additionally, many financial institutions offer payment charge notifications for every transaction that occurs on an account. Enabling these notifications may make it more likely that a customer will notice a fraudulent transaction as soon as it occurs and can notify their bank. If a customer discovers fraudulent activity on their account, lock the affected card if this option is available, notify the banking institution immediately, and request a new payment card.

Furthermore, we advise merchants to conduct thorough security due diligence reviews of third-party services and resources. To protect websites against Magecart attacks, website administrators are recommended to, by default, block access to sensitive information entered into web forms and stored cookies. Only vetted scripts developed in-house should have access to sensitive data. Security practitioners are advised to consider using tools and technologies that provide behavioral and anomaly detection of in-browser activity. In addition, establish good patch management, enable multi-factor authentication (MFA) on all administrative accounts at a minimum, and implement a WAF. Additional details can be found in the Akamai Security Report and the BleepingComputer article.