The click of death: Why ecommerce must work extra hard to thwart attackers

What’s behind the simple click of a computer mouse for a shopping purchase on a web page? For most, it’s the last step of buying an item and is innocuous enough to do on autopilot. Just buy and forget about it until the item arrives at your front door. But what happens when that final step has something untoward going on in the background that could be hugely damaging to both the consumer and the brand they’re buying from? It’s a risk we must all be aware of and take steps to counter.

Ecommerce is expected to be responsible for $6.5 trillion in sales globally by 2023 – more than double the revenue compared to 2018. But when it comes to online shopping, vendors need to be aware of the security risks posed by supply chain attacks. Of course, these don’t always come from the shopping sites – indeed that’s part of the problem. Even the most watertight ecommerce platforms can be let down by a ‘leaking tap’ elsewhere, whether that’s the logistics, warehousing, or order fulfilment platform that plugs into it.

There are countless potential opportunities for attackers to steal personal details. These details can be sold on for profit, used to commit acts of fraud, or used to purchase items without the consumer’s consent or knowledge. And all of this can be perpetrated on the online shops that consumers trust.

Investigating an attack

Here’s an example I discovered in late 2019. Someone I know received a notification from their credit card company that they were about to process a payment of a substantial amount of money. It wasn’t a sum that my acquaintance was expecting to see on their bill because it wasn’t a payment they had initiated. Thankfully, the transaction hadn’t yet been settled and the person was able to contact their credit card company to stop the transaction going through. The end of the story was that the card was blocked, a replacement card was sent out in the mail, and the potential disaster was averted.

Well, that would have been the end of the story if it hadn’t piqued my curiosity so much as a cybersecurity professional. I wanted to know what happened, why it happened, and uncover any potential trends that could help other people.

After looking back through the online stores the person had shopped with recently, I stumbled across one outlier – a major camera and optics retailer. Our friend had indeed made a legitimate purchase with the site, but just once. They weren’t a regular shopper there. The store is a legitimate, established store in the States, with a high street presence and popular online shop. They weren’t known to us in the cybersecurity community for having been a victim of any recent breaches.

So, I started digging, focusing my attention on the checkout page of the website. Since the infamous MageCart hacker consortium has already broken into many high profile sites by injecting a JavaScript code to submit all credit card details to a command and control (C&C) server of their own as clients are checking out, I wanted to see if this was the case here.

Eventually, I found what I was looking for, and it took little more than a combination of Chrome’s developer tools and Wireshark captures.

Having gone through the network connections, I found that online shoppers’ credit card details were being submitted to two different sites. One of these sites was the legitimate site of the webstore, while the other was more sinister. It was fraudulent and was from a domain that was mocked up to look like a legitimate domain for the customer service software company Zendesk. It was through this domain that credit card details were being skimmed and used without the knowledge of either the customer or the retailer. And because this C&C domain had been resolved 905 times, it’s possible that there were almost a thousand victims.

Of course, Juniper Threat Labs alerted the site owners to the threat and they quickly removed the malicious code from the site.

Safer shopper

There are several concerns at play here. In addition to potential financial theft, there’s also a reputational risk to bear in mind when thinking about supply chain attacks. Companies of any size can fall victim and the loss of shoppers’ trust because of such attacks could be far reaching. Therefore, it’s in the best interests of a business and its customers to ensure that everyone’s details are kept safe.

Fortunately, it is possible to avoid these attacks and prevent them from taking hold of a business. The answer lies in ensuring the integrity of the site’s source code. Once that is fully protected, it makes it incredibly difficult for bad actors to infiltrate the site and cause chaos. That’s because it’s through tampering with the source code that attackers can inject malicious JavaScript code to ‘skim’ information, either by exploiting a server’s vulnerability or by compromising a third-party library.

A useful tool in the arsenal is file hash monitoring. It’s a simple solution that could be the saviour of an online retail site because it raises an alarm when unexpected changes are made to the site’s source code. It’s worth investigating and using as a vital layer of protection.

MageCart continues to pose a significant threat to online shopping and with online shopping so prevalent as Covid-19 forces people to avoid the high street, it could be a major concern for the rest of 2020. However, it isn’t the only way ecommerce sites can be compromised so there has to be vigilance in every aspect from the companies creating and operating the sites. Consumers expect their payment details to be kept safe and they put the highest level of trust in the site they shop with every time they hit ‘buy’. By maintaining a high level of security, you are more likely to maintain their trust, which translates to continued loyalty. After all, that loyalty is hard enough to achieve in the first place and even harder to regain.

 

Contributed by Mounir Hahad, head of threat research labs, Juniper Networks

The post The click of death: Why ecommerce must work extra hard to thwart attackers appeared first on IT Security Guru.