Defending Your Online Presence: Holiday Brand Impersonation and Web Skimming
Background
During the holiday season, deceptive websites surge with nearly 78% of individuals encountering brand impersonation scams as threat actors impersonate legitimate ones to deceive users. These fraudulent sites mimic banks, eCommerce platforms, and trusted entities using tactics like cloning, mirroring, typosquatting, brandjacking, and scareware to ensnare users. Additionally, threat actors employ web skimming, covertly inserting malicious code into websites to extract data submitted through HTML forms, a sophisticated tool for data extraction attacks. In 2022, these deceptive sites caused losses of $8.8 billion. Unfortunately, many businesses remain unaware of these threats until they suffer financial or reputational damage.
New Campaigns
The “Silent Skimmer” is a financially motivated cyber group active in the Asia-Pacific (APAC) region. They target vulnerable online payment infrastructure, infiltrating web servers through flaws to collect consumers’ financial data using payment scraping techniques. They are proficient in Chinese and have victims in North America. Their tactics involve exploiting web application vulnerabilities, particularly in Internet Information Services (IIS). They use various tools and historically have exploited CVE-2019-18935. The campaign employs multiple techniques and deploys a Remote Access Tool (RAT) capable of various tasks. The group seeks global weaknesses in web applications, with a focus on servers lacking modern security technologies, especially those handling payment data.
Separately, an additional campaign has emerged, posing a significant threat to Magento and WooCommerce websites. This sophisticated campaign comprises three elements: a loader, a malicious attack code, and data exfiltration. The loader is a crucial JavaScript snippet facilitating the deployment of the attack code. The malicious attack code is multifunctional, carrying out tasks like data detection, disruption of the checkout process, and the injection of counterfeit forms. Data exfiltration sends stolen information to a command-and-control server.
Notably, the campaign targeting Magento and WooCommerce websites showcases three distinct variations, reflecting an evolving threat landscape. The attacker’s ability to make swift improvements is remarkable. The third variation stands out for cleverly using a website’s default 404 error page to hide malicious code, enhancing their evasion capabilities. Of concern is the persistence of malicious comments on the 404-error page even after removing the loaders from affected websites. This residual presence raises the possibility of the skimmer reactivating the attack, necessitating vigilant monitoring.
Mitigation Strategies
Many employees lack the essential skills to recognize deceptive websites. Cybersecurity training frequently overlooks emerging threats such as website spoofing, often treating them as end-user problems rather than substantial cybersecurity challenges. Closing this training gap is vital to mitigate the risks of phishing attacks, malware distribution, and data breaches orchestrated by disguised websites. Strengthening employees’ capacity to detect spoofed websites and related email schemes is crucial to fortify the organization’s overall cybersecurity readiness.
Organizations should train employees to:
- Be cautious when receiving requests for money transfers, especially if the sender’s name and email address don’t align.
- Always verify email addresses and be wary of vague, threatening, or persuasive emails, especially those with suspicious links.
- Exercise skepticism with text messages containing links or requests, as urgency and enticing offers are common tactics employed by smishing attacks.
- Familiarize yourself with social engineering tactics, such as exploiting authority and altruism, to recognize and resist manipulative schemes.
- When navigating potentially deceptive websites, scrutinize the URL for misspellings or extra characters, prioritize secure sites (https://), and use domain lookup services for registration information. If uncertain, seek advice from colleagues or the IT department.
Conclusion
In the ever-evolving landscape of cybersecurity, the discovery of brand impersonation and web skimming is a stark reminder of the constant need for vigilance and adaptation in defense strategies. The use of advanced concealment techniques in these campaigns, including the innovative exploitation of the default 404 error page, underscores the need for organizations to remain proactive in their efforts to detect and mitigate such threats. Awareness, preparedness, and swift response are imperative to protect sensitive data and maintain the integrity of online platforms in the face of such sophisticated and evolving cyber threats.
CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.
References
Stay Connected on Today’s Cyber Threat Landscape
RELATED RESOURCES
- Webinar
Analyst-Led, AI-Assisted: The Future of Cybersecurity Defense
Discover how human expertise and AI innovation are transforming the way organizations combat cyber t... - Webinar
Critical Start Platform Updates
We are excited to announce the latest enhancements to Critical Start’s Cyber Operations Risk &... - Datasheet
Critical Start Asset Visibility
Critical Start Asset Visibility gives you a single source of truth for your asset inventory, uncover...
RESOURCE CATEGORIES
- Buyer's Guides(1)
- Consumer Education(40)
- Consumer Stories(2)
- Cybersecurity Consulting(7)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(2)
- Interview(51)
- MDR Services(77)
- MobileSOC(9)
- News(5)
- Press Release(96)
- Research Report(11)
- Security Assessments(4)
- Thought Leadership(20)
- Threat Hunting(3)
- Video(1)
- Vulnerability Disclosure(1)