Decoding Magecart/Web Skimming attacks - In the backdrop of COVID-19 Aseem Ahmed - Akamai
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Decoding
Magecart/Web
Skimming attacks
In the backdrop of
COVID-19
Aseem Ahmed
Senior Product Manager, Web Security
Asia Pacific
1 © 2020 Akamai | ConfidentialCOVID-19 AND THE PERFECT SECURITY STORM
Phishing
Remote Work
Malware
Web Skimming
2 © 2020 Akamai | ConfidentialWebpages are more complex now
• All contemporary websites run
with a constellation of third-
parties.
• The code that your third-party
vendors run on your site is
separate from your code and
your server
• This setup creates a large
attack surface for your website,
which you can’t control or track
4 © 2020 Akamai | ConfidentialExternal Code and Known Security Vulnerability
The problem is real and happening now
Third Party requests average 67% of all Over 80% of pages contain at least one known
requests across all Akamai customers third-party library security vulnerability (CVE)
67% 84% 83.2%
Average 3rd Party
Pages with Vulnerable JS (%)
resources per page
80%
76%
72%
19
19
19
9
9
8
8
19
9
9
l-1
-1
-1
-1
-1
r-1
b-
n-
n-
g-
ar
ay
ov
ec
Ju
Ap
Fe
Ja
Ju
Au
M
M
N
D
Source: Security and Frontend Performance, Challenges of Today: Rise Sources: https://httparchive.org/reports/state-of-the-web#pctVuln
of Third Parties; Akamai Technologies and O'Reilly Media, 2017
6 © 2020 Akamai | ConfidentialJavaScript Attacks Skim Data From Forms
Many attacks can go undetected for months
First-Party Attacks
Attack first-party scripts located
directly on the backend
infrastructure
1 week 1 month
Third-Party Attacks
Third party attacks vendors,
supply-chain, and open
source libraries
1 month 6 months
E-commerce
Platforms Attacks
up to 7 months
7 © 2020 Akamai | ConfidentialJavaScript Attack Vectors
Malicious code
injected into
trusted sources
Direct injection via
backend
infrastructure
Trusted
Sites
Site Origins
Third party and
Supply-chain Credit Card/
PII Skimmed Sent back to
Hidden Adversaries
malicious code
in interaction Malicious code executes
Adversaries
compromise
JavaScripts
8 © 2020 Akamai | ConfidentialAttack Examples and Targets
Affects all websites with sensitive data
Magecart attackers were able to hack into the Media
First-Party Attacks companies’ backend infrastructure and inject Popular streaming
Attack first-party scripts located
malicious code along side the company’s service companies
directly on the backend infrastructure existing code lost payment and
account info
Travel & Hospitality
Multiple airlines and
Attackers take advantage of the security
Third-Party Attacks weaknesses in third-party client-side code
hotel chains lost
Third party attacks vendors, supply- customer data
including JavaScripts and open source
chain, and open source libraries libraries. Publishing
News sites, eZines,
and others lost
account info
Attackers targets third-party e-commerce
Targets e-commerce platforms; many popular platforms have been
ECommerce
Many retail, consumer,
platforms compromised by Magecart attacker. and event ticketing sites
were attacked
9 © 2020 Akamai | ConfidentialPipka Attack Example
Targets eCommerce sites to skim credit card
information
○ Content is hidden via encoding and encryption
○ Exfiltration to hacker-controlled website using HTML image
source tag request
○ Self-Deleting after theft
Hard to
Detect
10 © 2020 Akamai | ConfidentialFake Payment Form
Payment Forms
○ Internally developed
○ External payment service providers (PSPs)
Payment forms are protected by
○ Redirecting to a PSP
○ iframe sensitive areas of the website
○ CSPs
Attackers overlay or replace iframe and collect
sensitive data
11 © 2020 Akamai | ConfidentialMeasures for script protection
Content Security Policies (CSP)
• When trusted parties get compromised and
becoming the attack vector, CSPs can’t
detect and monitor.
• CSPs are hard to implement and maintain and
if too tight, can lead a lot of false-positives.
• In the real world, teams are asked to whitelist
assets coming from a common cloud storage
and open source project – which can leave the
site vulnerable.
When CSPs whitelist common cloud storage as
trusted origins, it can lead to vulnerabilities.
12 © 2020 Akamai | ConfidentialMeasures for script protection
Static Scanners
• Static scanners do not monitor all real-user
sessions and detect vulnerabilities in real time.
• Malicious code can be invisible to many synthetic
site scanners by mimicking Anti-Bot techniques.
• Code obfuscation techniques can mask attacks
from scanners.
• In one such Magecart attack, the script placed on
the final checkout page, skimmed personal credit
card info from unsuspecting customers. The Malicious Code Used in one such Hack
• hackers modified JavaScript to only carried out The stolen data was then transferred to a
following the user's interaction ‘mouseup’ or server with a similar domain name and a
HTTPS certificate that the hackers had set up
‘touchend’ in advance.
13 © 2020 Akamai | ConfidentialWhy Page Integrity Manager Now? 3.7M
Web-Skimming
Attacks Yearly
Stealing sensitive customer data is not new but…
• Hackers have developed new techniques to
compromise browsers hiding malicious code in
scripts
4,800
Websites compromised
monthly
• Security teams can't test for these attacks and can't
see them
• Restricting script use will impact business agility
and user experience 78%
2018 Supply Chain Attacks
• New security controls are needed to counteract
this problem
Source: Symantec 2019 Internet Security Threat
Report
14 © 2020 Akamai | ConfidentialPage Integrity Manager is Different
Protection from Visibility into Simple
hidden script attacks Deployment,
malicious code Administration
and Real time
alerting
15 © 2020 Akamai | ConfidentialDemo Attack Test Site
Forms Test Site attacked with
malicious JS code
○ Fully functional eCommerce
checkout page form
○ Used white-listed domain
- Demo asset
Malicious JS code
16 © 2020 Akamai | ConfidentialWeb Skimming Attack Results
Immediate Visibility, Detection, Assessment
• Suspicious
behavior
immediately
detected
• Destination not
blacklisted
• No manual Credit
intervention High Risk Card info
Score taken
• Behavior detection
model set a critical
risk score
17 © 2020 Akamai | ConfidentialPage Integrity Manager - High Level Features
Behavioral detection technology Policy management
Instruments real-user sessions to monitor script Govern script behavior and control runtime
behavior in real time, including the source, execution JavaScript execution by creating Script Behavior
behavior, and any outgoing network destinations. Policies.
Prioritized real-time alerting Vulnerability detection
Behavioral heuristics assign risk scores for every Continuously analyze URLs for CVEs to identify
Credit
script. Real-time alerting prioritize the highest-risk High Risk risky script sources. MaliciousCard
script behavior
info
events with detailed information needed to mitigate. Score can be blocked outright with a single button.
taken
Intuitive dashboards and reports Flexible deployment options
Configurable dashboards provide an intuitive view into Offers both edge and origin injection deployment
every script running on your web pages to provide models to protect every website, including those
security teams with details at a glance. Reports show not on the Akamai platform and requires no
incident, policy violation, and CVE match summaries. application changes.
18 © 2020 Akamai | ConfidentialNext Steps • Analyze your third-party script composition and landscape • Evaluate your current security strategy and practices to handle script attacks • Contact Akamai to request a report of your script risk posture and get instant visibility 19 © 2020 Akamai | Confidential
THANK YOU 20 © 2020 Akamai | Confidential
You can also read