Media Coverage

Late last week, we observed a number of compromises on Amazon CloudFront – a Content Delivery Network (CDN) – where hosted JavaScript libraries were tampered with and injected with web skimmers. The skimmer used in this attack looked eerily familiar. Indeed, by going back in time, we noted it used to have the same exfiltration gate (font-assets[.]com) identified by Yonathan Klijnsma in RiskIQ’s report on several recent supply-chain attacks. RiskIQ, in partnership with Abuse.ch and the Shadowserver Foundation, sinkholed both that domain and another (ww1-filecloud[.]com) in an effort to disrupt the criminal’s infrastructure.

“This will likely lead to an event as damaging as WannaCry and notPetya from 2017 — potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness,” said a blog post by researchers at Errata Security. The flaw, dubbed Bluekeep, was found in Remote Desktop Services and affects older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008. Errata Security researcher Robert Graham carried out a scan of devices using a tool called Masscan, to find the port (3389) used by Remote Desktop, the one used by Remote Desktop. While this found all open ports, Graham then used a Remote Desktop Protocol scanning project created by The Shadowserver Foundation, to find the million devices vulnerable to Bluekeep.

Dark Deeds in the DNS. It is no secret to either the people who undertake dark deeds on the Internet or to those trying to catch them that the DNS is one of the few systems that is universally visible. So, it’s no surprise that domain names are used to control botnets. Much time and effort has been spent studying DNS and the ways in which the DNS has been coopted to control malware. Stewart Garrick of Shadowserver presented on the Avalanche investigation, a multi-year law enforcement effort that spanned a number of countries. Some 2.5M domain names were blocked or seized during the investigative process.

A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation.  GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe.  The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust. Other agencies and organizations partnering in this effort include the United States Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh and the Shadowserver Foundation

A complex transnational organized cybercrime network that used GozNym malware in an attempt to steal an estimated $100 million from unsuspecting victims in the United States and around the world has been dismantled as part of an international law enforcement operation.  GozNym infected tens of thousands of victim computers worldwide, primarily in the United States and Europe.  The operation was highlighted by the unprecedented initiation of criminal prosecutions against members of the network in four different countries as a result of cooperation between the United States, Georgia, Ukraine, Moldova, Germany, Bulgaria, Europol and Eurojust. Other agencies and organizations partnering in this effort include the United States Secret Service, the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh and the Shadowserver Foundation.

Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.

Web-based supply-chain attacks, which compromise vendors that supply code that adds or improves website functionality, gives attackers access to a wide range of victims at once because the compromised code often integrates with thousands of sites. In this blog, we’ll break down the Magecart skimming activity on these seven providers and detail when and how the compromises occurred, including how some of them could have been far worse.

The same skimmer was used for attacks against both services, which indicates it was the same Magecart Group. The exfiltration domain where stolen card data would have been sent was font-assets.com, which is associated with ww1-filecloud.com, another domain owned by the same attackers.

Both domains have been taken down and/or sinkholed with the help of Abuse.CH and the Shadowserver Foundation.

We uncovered a recent activity involving the notorious online credit card skimming attack known as Magecart. The attack, facilitated by a new cybercrime group, impacted 201 online campus stores in the United States and Canada.

We started detecting the attacks against multiple campus store websites on April 14, during which the sites were injected with a malicious skimming script (detected by Trend Micro as Trojan.JS.MIRRORTHEIF.AA) at their payment checkout pages.

With special thanks to our colleagues at abuse.ch and The Shadowserver Foundation for helping with the sinkholing of Mirrothief’s malicious domain and remediation reporting.

Akamai DNS Team: Be real. A Communications Service Provider’s (CSP’s) customer will not use their home to attack the Domain Name System (DNS). They might as well unplug from the Internet. Yet, customers get infected, CPEs get violated, and miscreants all over the Internet reflect attacks off CSP customers to attack others. This abuse happens every day. It is part of the “noise” of the Internet. It is also a major threat to the Internet. What does a CSP do when 30% of their customers are infected with malware?  The good news for CSPs is that organizations like CyberGreen and Shadowserver Foundation provide infection data and metrics as a public service.

Gangs using malicious JavaScript code to steal payment info target multiple online shopping platforms used by thousands of small stores; more advanced ones rely on tactics to remain undetected for a longer period. Generically known as Magecart because the Magento payment platform is a frequent target, the web skimming scripts are injected on checkout pages and collect credit and debit card details when customers pay for an order. In a report today, RiskIQ researcher Yonathan Klijnsma details a large-scale operation Magecart Group 12 led against OpenCart online stores. It used stealth tactics to keep its activity under the radar and pilfer as much payment info as possible. The domain used by the attacker is no longer active as RiskIQ together with AbuseCH and the Shadowserver Foundation took it offline.