A major hardware distributor was the victim of a network intrusion whereby suspects had gained access to the backend of their .eu and .iu domains, through a vulnerability with the company’s webserver. It is believed that the suspect identified the type of webserver which the domains were hosted on using security scanning software tools such as Nmap or Metasploit. Once the type of webserver had been identified, the criminals would have ascertained that the company used the Magento ecommerce payment platform, which is used to manage their online financial transactions. Unfortunately, the Magento software which they use was vulnerable to cross site scripting (XSS), an attack type which we discuss below. This particular vulnerability had been present for over 6 months, and had not been patched.
XSS is a code injection attack whereby an attacker can inject malicious scripts (payloads) into a legitimate website or web application, which are then executed by an end user. The xss would have given the suspect(s) access to the backend of their ie and eu domains, and from there the suspects had brute forced an old admin account which had lain dormant for 2 years. This would have been relatively easy to do, as the account had a weak password.
Once customers reached the Magento payment section, a JavaScript file was triggered and the customer was presented with a ‘fake credentials payment section’, which looked identical to the correct payment section. The aim of the script was to fraudulently obtain the credit card details entered by customers. The compromised details were then sent in clear text to another domain. Interestingly, the payment type used determined whether the code was successful or not. For example, it was successful for debit cards but not PayPal – this was primarily down to poorly written code.
In total, 138 customers were affected with compromised banking details, which were used in secondary fraud. The investigation identified the route of compromise and also a number of IP addresses, with the suspects using multiple VPN companies to remotely access the victim’s network.
The investigation team was able to trace the malicious file back to a server in Eastern Europe, who had contacted the company using encrypted instant messaging and making payment through the cryptocurrency Bitcoins (BTC).
Through extensive open source enquires and engagement with international law enforcement partners we were able to identify details of the organised crime group behind the attacks and provided this intelligence to overseas law enforcement for them to develop the intelligence and take proactive action against the suspect(s) identified. This investigation highlights the effective intelligence sharing between international agencies to tackle cyber crime on a global scale.


More Articles

By using this website you agree to our use of cookies to enhance your experience. I understand