Search This Blog

Showing posts with label Credit Card Fraud. Show all posts

Microsoft: Credit Card Stealers are Switching Tactics to Conceal the Attack

 

Attackers are manipulating e-commerce checkout websites and capturing payment card information by utilising picture files with a concealed malicious PHP script. According to Microsoft, card-skimming malware is increasingly employing malicious PHP scripts on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code. 

Card-skimming malware has changed its approach, according to Microsoft threat analysts. Card skimming has been dominated over the past decade by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout pages and transmit malware that grabs and steals payment card information. Injecting JavaScript into front-end processes was very conspicuous, according to Microsoft, because it might have triggered browser defences such as Content Security Policy (CSP), which prevents external scripts from loading. 

By attacking web servers with malicious PHP scripts, attackers discovered a less noisy method. In November 2021, Microsoft discovered two malicious image files on a Magento-hosted server, one of which was a fake browser favicon. Magento is a well-known e-commerce system. The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to only target shoppers, the PHP script only starts after validating via cookies that the web admin is not currently signed-in. 

The PHP script obtained the current page's URL and looked for the keywords "checkout" and "one page," which are linked to Magneto's checkout page. "The insertion of the PHP script in an image file is interesting because, by default, the webserver wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained. 

Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about new examples of card-skimming attackers infecting US business checkout sites with web shells for backdoor remote access to the webserver using malicious PHP. Sucuri discovered that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021. Magecart Group 12 is distributing new web shell malware, according to Malwarebytes, that dynamically loads JavaScript skimming code via server-side requests to online merchants. 

Malwarebytes' Jérôme Segura noted, "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."    

However, dangerous JavaScript is still used to skim cards. Card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (previously Facebook Pixel) scripts, for example, was discovered by Microsoft.

Phishing Scam Adds a Chatbot Like Twist to Steal Data

 

According to research published Thursday by Trustwave's SpiderLabs team, a newly uncovered phishing campaign aims to reassure potential victims that submitting credit card details and other personal information is safe. 

As per the research, instead of just embedding an information-stealing link directly in an email or attached document, the procedure involves a "chatbot-like" page that tries to engage and create confidence with the victim. 

Researcher Adrian Perez stated, “We say ‘chatbot-like’ because it is not an actual chatbot. The application already has predefined responses based on the limited options given.” 

Responses to the phoney bot lead the potential victim through a number of steps that include a false CAPTCHA, a delivery service login page, and finally a credit card information grab page. Some of the other elements in the process, like the bogus chatbot, aren't very clever. According to SpiderLabs, the CAPTCHA is nothing more than a jpeg file. However, a few things happen in the background on the credit card page. 

“The credit card page has some input validation methods. One is card number validation, wherein it tries to not only check the validity of the card number but also determine the type of card the victim has inputed,” Perez stated.

The campaign was identified in late March, according to the business, and it was still operating as of Thursday morning. The SpiderLabs report is only the latest example of fraudsters' cleverness when it comes to credit card data. In April, Trend Micro researchers warned that fraudsters were utilising phoney "security alerts" from well-known banks in phishing scams. 

Last year, discussions on dark web forums about deploying phishing attacks to capture credit card information grew, according to Gemini Advisory's annual report. Another prevalent approach is stealing card info directly from shopping websites. Researchers at RiskIQ claimed this week that they've noticed a "constant uptick" in skimming activity recently, albeit not all of it is linked to known Magecart malware users.

Caramel Credit Card Theft is Proliferating Day by Day

 

A credit card stealing service is gaining traction, providing a simple and automated option for low-skilled threat actors to enter the sphere of financial fraud. Credit card skimmers are malicious scripts that are put into compromised e-commerce websites and wait patiently for customers to make a purchase. 

Following a purchase, these malicious scripts capture credit card information and transport it to remote sites, where threat actors can collect it. Threat actors then use these cards to make online purchases for themselves or sell the credit card information to other threat actors on dark web markets for as little as a few dollars. Domain Tools found the new service, which claims that it is run by a Russian criminal outfit called "CaramelCorp." 

Subscribers receive a skimmer script, deployment instructions, and a campaign management panel, which includes everything a threat actor needs to start their own credit card stealing campaign. Caramel only sells to Russian-speaking threat actors after a first verification procedure that weeds out individuals who use machine translation or are new to the sector. 

A lifetime subscription costs $2,000, which isn't cheap for aspiring threat actors, but it includes complete customer service, code upgrades, and growing anti-detection methods for Russian-speaking hackers. 

The "setInterval()" technique, which exfiltrates data between preset periods, is used to acquire credit card data. While it may not appear to be an efficient strategy, it can be used to collect information from abandoned carts and completed purchases. Finally, the campaigns are managed through a panel that allows the subscriber to monitor the affected e-shops, configure the gateways for obtaining stolen data, and more. 

While Caramel isn't new, and neither are skimming campaigns. In December 2020, Bleeping Computer discovered the first dark web posts offering the kit for sale. Caramel has grown in popularity in the underground scene thanks to continued development and advertising. The existence of Caramel and other similar skimming services lowers the technical barrier to starting up and managing large-scale card skimming campaigns, potentially increasing the prevalence of skimmer operations. 

One can defend themself from credit card skimmers as an e-commerce platform user by utilising one-time private cards, putting up charging limitations and prohibitions, or just using online payment methods instead of cards.

Magecart Allegedly Hacked the Segway Online Store

 

Researchers discovered an online skimmer on Segway's online store which allowed malicious actors to acquire credit cards and personal information from customers during checkout. 

The store has been hacked by Magecart skimmer, is majorly known for Dean Kamen's invention of the two-wheeled, self-balancing personal transporter, additionally, it also makes additional human mobility technologies.

"While the company doesn't know how Segway's site was hacked, an attacker will normally target vulnerabilities in the CMS system or one of its plugins." "The hostname at store.segway[.]com runs Magento, a major content management system (CMS) utilized by numerous eCommerce sites and a favorite of Magecart threat actors."

The attack was traced to Magecart Group 12 by Malwarebytes researchers who discovered a web skimmer on Segway's online store (store.segway.com). The Segway store was connecting a known skimmer website (booctstrap[.]com), which has been operational since November and has been linked to prior Magecart attacks.

The Magento CMS was utilized to breach the store, and threat actors exploited loopholes in vulnerable versions of the CMS or one of its plugins. The firm also discovered a piece of JavaScript hidden in a file called "Copyright," which isn't harmful in and of itself but periodically loads the skimmer. Anyone analyzing the HTML source code will not see the skimmer because of this method. 

The idea that the malicious actors are inserting the skimmer within a favicon.ico file is also noteworthy; Small icon visuals that connect to other sites are known as favicons. This new approach is becoming increasingly widespread, according to Uriel Maimon, senior director of technological innovations at cybersecurity firm PerimeterX. 

"Magecart attackers are getting increasingly inventive with the attempts to avoid detection, especially given the developments in access control over time." Manual code review, static program analysis, and scanners could not have easily spotted the skimmer script hidden behind a favicon claiming to display the site's copyright."

To prevent these types of attacks, buyers should pay with computerized systems, one-time cards, tokens with stringent charging restrictions, or simply pick cash on delivery if available. Using an internet security application that identifies and prevents malicious JavaScript from running on checkout pages may also save you the headache of obtaining your credit card information stolen.

Hackers Impersonate Bank Customers and Make $500k in Fraudulent Credit Card Payments

 

Hackers from other countries were able to impersonate 75 bank clients and made $500,000 in fraudulent credit card payments. This was accomplished using a clever way of intercepting one-time passwords (OTPs) sent by banks via SMS text messages. In a joint statement released on Wednesday, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the Singapore Police Force detailed how hackers redirected SMS OTPs from banks to foreign mobile networks systems. 

The SMS diversion method, they said, “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”. Last year's fraudulent transactions took place between September and December. The bank clients claimed that they did not initiate the transactions and that they did not get the SMS OTPs that were required to complete them. 

According to Mr. Wong, the MAS' deputy chairman, the Monetary Authority of Singapore (MAS) would engage with financial institutions to fine-tune the existing framework on fraudulent payment transactions, which covers the responsibilities and liabilities of banks and customers in such instances. 

Between September last year and February, the police received 89 reports of fraudulent card transactions using SMS one-time passwords (OTPs), according to Mr. Wong. Ms. Yeo Wan Ling (Pasir-Ris Punggol GRC) had inquired if bank-related cyber frauds had increased in the previous six months.

"While these cases represent less than 0.1 percent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, it is nevertheless concerning," Mr. Wong said. 

Singapore's financial and telecommunications networks have not been hacked, according to the authorities. Affected customers who took efforts to safeguard their credentials would not be charged for any of the fraudulent transactions as a gesture of goodwill from the banks, according to the authorities. The names of the banks involved were kept under wraps. 

The cybercriminals utilized this method to get the victims' credit card information and mobile phone numbers in this incident. They also got into the networks of international telecoms and exploited them to alter the location information of the Singapore victims' mobile phones. 

By doing so, the hackers deceived Singapore telecom networks into believing that Singapore phone numbers were roaming overseas on the networks of other countries. The hackers subsequently made fraudulent online card payments using the victims' stolen credit card information.

As a result, when banks issued SMS OTPs to victims to authenticate transactions, the criminals were able to reroute these text messages to foreign mobile network systems. The fraudulent card payments were subsequently completed using the stolen OTPs. This corresponds to the victims' claims that they did not get the OTPs.

Wawa Paying $9 Million in Cash, Gift Cards in Data Breach Settlement


The Wawa convenience store chain is paying out up to $9 million in cash and gift cards to customers who were affected by a previous data breach, as reimbursements for their loss and inconvenience. 

The affected customers can request gift cards or cash that Wawa is paying out to settle a lawsuit over the security incident. Here's everything you need to learn about the proposed class action settlement – who's eligible, how to submit a claim for cash or a gift card, and how to object to the deal. 

Customers who used their payments cards at any Wawa store or gas pump during the data breach, but were not impacted by the fraud, qualifies to receive a $5 gift card, as compensation. These claimants are referred to as 'Tier One Claimants'. 

However, the claimants will be required to submit proof of the purchase they conducted at a Wawa store or fuel pump between March 04, 2019, and December 12, 2019 – when the data breach occurred – in order to claim the gift card. Customers would essentially be required to provide proof of the transaction date, preferably a store receipt of a statement by the bank, or a screenshot from the concerned bank or credit card company website or app. 

The next category of claimants, referred to as 'Tier Two Claimants' could receive a gift card worth $15 if they show reasonable proof of an actual or attempted fraudulent charge on their debit or credit card post-transaction. 

The last category of claimants, referred to as 'Tier Three Claimants' qualify to receive a cash reimbursement of upto $500, if they provide reasonably documented proof of money they spent in connection with the actual or attempted fraudulent transaction on their payment card. It must be reasonably attributed to the data breach incident. 

During the 9 month span of the data breach, around 22 million class members made a financial transaction at one of the Wawa stores. Customers have been given a deadline of November 29, 2021, to submit a claim for recompensation. By doing so, they are giving up their right to sue Wawa over the 2019 security incident. 

Those who wish to retain their right to sue the company over the security incident and do not wish to receive the payment will be required to exclude themselves from the class. The deadline given for the same is November 12, 2021. 
 

What is this settlement for?


In 2019, the Wawa convenience store chain experienced a data breach wherein cybercriminals hacked their point-of-sale systems to install malware and steal customers' card info. As the fraud impacted Wawa's 850 locations along the East Coast, the U.S based convenience store company found itself buried in a series of lawsuits. One of which – filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith, of Haverford – claimed that the data breach “was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security.”

The massive data breach that lasted for nine months,
affected in-store payments and payments at fuel pumps, including “credit and debit card numbers, expiration dates, and cardholder names on payment cards.” Meanwhile, hackers also attempted to sell the stolen financial data on the dark web. 

As a result, a police investigation was called in for and the organization also conducted an internal investigation by appointing a forensics firm for the same.

Know ways to avoid credit or debit card frauds


Since 2016, when India decided to go cashless the growth of online payments increased exponentially but not without risks. Online payments seem quick and easy but it's not hard for your financial data to be stolen. With every transaction and swipe you're putting your credit to risk.


In 2019, India faced a banking hazard as 32 lakh debit cards from 19 banks, including HDFC Bank, ICICI Bank, and Axis Bank, were compromised with a loss of 1.3 crores. The cyber-world is littered with examples like this, people often think it's inevitable that they will be duped at least once, that even if they are careful their credit cards will be compromised at some point. But it doesn't have to be so, with the following measures we can reduce the risk of debit and credit frauds to a great extent.

Register for alerts

The best way to prevent a bogus transaction is to set up email or SMS alerts, as they will at least give you a warning as to when a transaction is made or tried. And if the said transaction is not by you then you can take action immediately.

Don't save your card information on websites

It's not foolproof but it would certainly clog some loopholes. It's better to limit the sites where you save your card details and know all the sites you have them saved on. Best to save them on trustable sites.

Be careful

The Internet is full of baits so be prudent while clicking on any too-good-to-be-true deals. Especially the ones that ask for your card details. Be paranoid of fishy email links and consider them as red flags.

Log out

Its cautious to log out of sites and apps made for e-commerce and never save any passwords on your phone.

Check Statements Regularly

Check your bank statements for any suspicious activity, so you can catch one early on. Sometimes, the fraudsters might use the card multiple times so as soon as you find something suspicious report it and cancel the card via the bank.

Use Online Wallets and UPI

As online wallets and UPI doesn't disclose your account details or card details, it's better to use them instead of credit or debit cards for e-commerce.

 It goes without saying that always air on the side of caution and never disclose your financial details to anyone. With a few careful steps you can reduce the risk of falling into a debit fraud and even if you do many banks offer insurance for such cases, so go through the bank's policies thoroughly; they may save you a dime a dozen.

The hacker explained why in Russia cards will become more often blocked


Hacker Alexander Warski told what to expect from Governing Bodies. According to him, bank cards will more often be blocked in Russia.

The information security specialist expressed the opinion of the new law on mandatory notification of blocking of finances on the accounts of Russians. Starting from March 28, according to the new law, credit institutions are obliged to notify customers about the blocking of funds on the same day, necessarily indicating the reason for their actions. According to the hacker, the new law will only contribute to a significant increase in blockages.

"The governing bodies will be more likely to use this tool," - said Warski.
At the moment, the percentage of all illegal withdrawals is 1% of all financial transactions. Scammers use fake phone numbers that are displayed as Bank numbers and disturb people on behalf of the Bank. In this regard, the hacker believes that mobile operators are to blame for allowing the sale of virtual SIM cards.

State Duma Deputy Natalia Poklonskaya believes that the introduction of the new law will make the bank-client relationship system more transparent.

"Now this side of banking will become more open, and blocking the client's account will no longer be unexpected, which means that it will not be able to be a manipulative tool," said Natalia.

Earlier, EhackingNews reported that experts from the information security company Positive Technologies came to the conclusion that hackers will need only five days on average to hack a large Russian Bank.

In addition, it became known that 89% of data leakage incidents in Russian banks were caused by ordinary employees.

Banks also noted the appearance of special Telegram bots, through which people can earn anonymously on the leak of information and personal data. Each case of information disclosure costs 50-100 thousand rubles ($750 - $1,500).

The Russian Embassy in Washington sent a note of protest to the State Department


The US Department of Justice has confirmed the extradition of Russian hacker Alexei Burkov from Israel. Accused by Americans of credit card fraud, a Russian citizen has already appeared before a federal judge in Virginia. Burkov faces up to 80 years in prison. The Russian Foreign Ministry sent a note of protest to the State Department, soon the consuls will be sent to the Russian citizen.

"In connection with the extradition of the Russian citizen Burkov from Israel to the United States, we have taken a decisive demarche regarding the “hunt” unleashed by Washington for our citizens around the world. In the note sent to the State Department, we demanded strict compliance by the American side with existing bilateral obligations," reported the press service of the Russian diplomatic mission.

The Embassy noted that Russian diplomats "will soon visit a compatriot in a pretrial detention center in Virginia."

Earlier, the US Department of Justice said that according to court documents, Burkov allegedly ran a website called Cardplanet that sold payment card numbers, many of which belonged to US citizens.
"Stolen data from more than 150,000 payment cards were allegedly sold on Burkov's website and led to fraudulent purchases made from US credit cards worth more than $20 million," stated the US Department of Justice.

It is noted that if Burkov is found guilty on all counts, he faces up to 80 years in prison.
Earlier, Russian President Vladimir Putin proposed to exchange the Israeli woman, who has dual citizenship — Israel and the United States. She was sentenced to 7.5 years in prison for smuggling hashish. Putin discussed the case with the Prime Minister of the Jewish state, Benjamin Netanyahu. However, he refused to make such an exchange.

Recall that Burkov was detained at the airport in Tel Aviv in 2015 when he came to Israel on vacation. He was later charged with crimes in the sphere of cybersecurity. He calls himself an information security specialist and denies the charges of committing the crimes imputed to him. All the time since the arrest he spent in Israeli prisons.

It is worth noting that Alexei Burkov will not be the first Russian convicted in the United States, whose return will be required by the Russian Foreign Ministry.