now browsing by tag


New wave of attacks aiming to rope home routers into IoT botnets | #corporatesecurity | #businesssecurity | #

A Trend Micro research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The report urges users to […] View full post on National Cyber Security

#cybersecurity | #hackerspace | Signal Sciences Introduces Advanced Rate Limiting for Fast, Easy Protection Against Advanced Web Attacks

Source: National Cyber Security – Produced By Gregory Evans

Signal Sciences is excited to announce the availability of new advanced rate limiting features that extend our customers’ ability to detect and stop abusive behavior at the application and API layer.

Over the past several weeks as part of our early access program, we piloted advanced rate limiting in real-world production environments and stopped major attacks for customers from major retailers with large-scale e-commerce operations, financial services firms with mission-critical applications to major online media companies that stream video content to hundreds of millions of users monthly.

The Value of Intelligent Rate Limiting to Protect Applications

The primary objective of rate limiting is to prevent apps, APIs and infrastructure from being exploited by abusive request traffic, much of it originating from automated bot operators. Stopping this traffic from reaching your app and API endpoints means availability, reliability and a satisfying customer experience.

Up to this point, customers have used the Advanced Rules capability of our next-gen WAF to monitor and block web request traffic that attempts to carry out application denial-of-service attacks, brute-force credential stuffing, content scraping or API misuse.

Advanced rate limiting from Signal Sciences stops abusive malicious and anomalous high volume web and API requests and reduces web server and API utilization while allowing legitimate traffic through to your applications and APIs.

With our new advanced rate limiting capability, Signal Sciences customers can leverage the ease of use, effective defense and precise blocking they’ve come to expect from our next-gen WAF and RASP solution. In addition to out-of-the-box protection, they also gain immediate insight and understanding of the traffic origins and can take granular custom actions by:

  • Creating application-specific rules to prevent app and API abuse
  • Defining custom conditions to block abusive requests
  • Identifying and responding to a real-time list of IPs that have been rate limited
  • Taking action on the identified source IP addresses with one click

How Signal Sciences Advanced Rate Limiting Works

Leveraging our award-winning app and API web protection technology, advanced rate limiting provides intelligent controls to reduce the number of requests directed at key web application functions such as credit card validation forms, forgot password fields, email subscription sign-ups, gift card balance checkers and more.

Signal Sciences makes it easy to create application-specific rate limiting rules. One-click actions enable further control over automated volumetric web requests.

Our technical approach for this new capability was informed by the expertise our company has gained from protecting over a trillion web requests monthly. This experience shows us that web requests that result in application abuse can blend in with legitimate traffic. Signal Sciences advanced rate limiting is designed to identify such traffic and prevent individual IPs from causing app abuse.

Take the next step and effectively stop and manage abusive traffic

We invite you to learn about other common attack scenarios that customers use advanced rate limiting to thwart and how easy it makes stopping and managing the attack origin traffic: download the rate limiting data sheet or request a demo today.

The post Signal Sciences Introduces Advanced Rate Limiting for Fast, Easy Protection Against Advanced Web Attacks appeared first on Signal Sciences.

*** This is a Security Bloggers Network syndicated blog from Signal Sciences authored by Brendon Macaraeg. Read the original post at:

Source link

The post #cybersecurity | #hackerspace |<p> Signal Sciences Introduces Advanced Rate Limiting for Fast, Easy Protection Against Advanced Web Attacks <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Google develops Linux tool that tackles USB keystroke injection attacks

Source: National Cyber Security – Produced By Gregory Evans

‘Voight kampff test’ provides warnings about thumb drive malfeasance

Google has developed a tool for Linux machines that combats USB keystroke injection attacks by flagging suspicious keystroke speeds and blocking devices classified as malicious.

Keystroke injection attacks can execute malicious commands via a thumb drive connected to a host machine, by running code that mimics keystrokes entered by a human user.

In a post on the Google Open Source blog, Google security engineer Sebastian Neuner explained Google’s tool uses two heuristic variables – KEYSTROKE_WINDOW and ABNORMAL_TYPING – to distinguish between benign and malicious inputs.

Measuring the time between two keystrokes, KEYSTROKE_WINDOW can generate false positives if users hit two keys almost simultaneously, although accuracy rises along with the number of keystrokes logged.

ABNORMAL_TYPING specifies the ‘interarrival time’ – or gap – between keystrokes.

The heuristic works because automated keystroke inputs are typically faster than those of humans, among other factors.

Neuner advises users to recalibrate the default parameters by gauging their own typing speed using online utilities whilst running the Google tool in ‘monitoring’ mode.

Done over several days or even weeks, this should gradually lower the false positive rate until eliminated, he explained.

The process trains the system to recognise the normal typing pattern of a user thereby helping it to reduce the number of false alarms, instances where genuine user input is incorrectly flagged up as malign.

Simple, inexpensive, widely available

Keystroke injection tools are relatively inexpensive and widely available online, noted Neuner.

Darren Kitchen, founder of pen test tool developer Hak5, is well placed to comment. He invented keystroke injection in 2008 and pioneered the first tool to simulate attacks: the USB Rubber Ducky, which featured in the iconic hacker TV Series Mr. Robot.

“Keystroke injection attacks are popular because they’re simple – the barrier to entry is extremely low,” Kitchen, also founder and host of the popular Hak5 Podcast, told The Daily Swig. “I developed the now de facto language, Ducky Script, so anyone can learn it in a minute or two.”

Keystroke injection attacks are also difficult to detect and prevent, according to Neuner, since they’re delivered via the most widely used computer peripheral connector: the humble USB.

Keystrokes are also sent “in a human eyeblink while being effectively invisible to the victim” sitting at the computer, he said. Kitchen pointed out that the “USB Rubber Ducky can type over 1,000 words per minute with perfect accuracy and never needs a coffee break”.

Kitchen recounts how he developed keystroke injection to “automate my then mundane IT job – fixing printers in the terminal with one-liners”, before realizing that it “violated the inherent trust computers have in humans.

“That’s a flaw that’s hard to fix,” he continued, “because we want computers to trust us, and the way we speak to them (Alexa notwithstanding) is by keystrokes.”

‘Hacking the Gibson’

However, the attack is “only as powerful as the user that logged in”, said Kitchen, adding that he probably wouldn’t be “hacking the Gibson” since his machines are restricted in what the ordinary user can do.

“On the other hand, if you’re in an organization that has ignored security best practices over the past decade, and all of your ordinary users have administrative privileges, then yeah – keystroke injection attacks are a problem (and you probably have many more).”

Neuner, who posted two videos demonstrating an attack against a machine with and without the tool installed, advised against viewing Google’s utility as a comprehensive fix.

“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” he said.

The security engineer added that Linux tools like fine-grained udev rules or open source projects like USBGuard, through which users can define policies and block specific or all USB devices while the screen is locked, can add further protection.

Matthias Deeg, head of research and development at German pen testing firm SySS GmbH, said it remained to be seen how effective Google’s tool would prove.

“In my opinion, this new tool is interesting and may actually help preventing automated keystroke injection attacks, for instance via bad USB devices,” Deeg, who has researched wireless input devices, including their use for keystroke injection attacks, told The Daily Swig.

“However, we have not yet tested this tool and its implemented heuristics used for detecting automated keystroke injection attacks, and thus cannot say how easily it can be bypassed by tweaking the keystroke injection behavior of the attacker tool. This appears to be a good old cat-and-mouse game.”

A Github README for the Google tool includes a step-by-step setup and operation guide. The utility is run as a systemd daemon, which is enabled on reboot.

RELATED WHID Elite: Weaponized USB gadgets boast multiple features for the stealthy red teamer

Source link

The post #hacking | Google develops Linux tool that tackles USB keystroke injection attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Lift the DDoS Smokescreen: Investigate Underlying Attacks

Source: National Cyber Security – Produced By Gregory Evans

“Hold out baits to entice the enemy. Feign disorder, and crush him.” ~ Sun Tzu

The sophistication of cybercriminals and the attraction of the “Black Hat” cyberspace have grown dramatically over the years. In the past, cyber assaults were carried out mostly by amateurs, motivated by boredom or plain curiosity. Nowadays, such activities might be the work of successful business ventures, holding big financial stake in their success. With increasing professionalism, the attack tactics continue to evolve, giving rise to new multi-team and multi-vector attacks.

The decoy

Large scale DDoS attacks slow down a company’s day-to-day operations, sometimes bringing them to a complete halt. During such an attack the whole IT team, often already thinly spread, can become completely engaged in restoring the infrastructure functionality, leaving other areas unattended.

However, a DDoS might be aimed at more than just disrupting service. In recent years we’ve witnessed cases where large service disruptions came in parallel with other attack vectors, where, whether intentionally or not, DDoS was used as a smokescreen, to pivot the defending team’s attention away from a more sophisticated and precise simultaneous offence, such as ATO (Account Takeover) or phishing.

Dispersing the fog

With Imperva Attack Analytics, we evaluate and distil thousands of application layer security events into a few readable security incidents.

A novel feature that Imperva Attack Analytics offers customers is an indication of network layer DDoS attacks correlating to incidents in the application layer.

Full details can be found here, but essentially, clicking on a network layer DDoS incident (marked blue on the chart) navigates to a list of other incidents that took place before, after, or during the DDoS attack in question.

DDOS blog incidents list

** This image depicts SQL injection attack done in parallel with volumetric DDoS attack, both blocked by our Cloud WAF

This allows us to track harmful cyber activities which might otherwise have been obscured by a massive flow of DDoS events and possibly identify these events as being a part of a single malicious act.


Since some network layer DDoS incidents might, in fact, be large application layer DDoS incidents, analyzing them as such provides more detailed information on an attacker’s identity, location and tools than treating them as plain layer 3 denial of service.


Basic technical details of the attacked protocols and their bandwidth peaks can be obtained from Attack Analytics incident details view.


More advanced investigation tools are available at the Infrastructure Protection dashboard, allowing for further DDoS analysis.


Imperva Infrastructure Protection dashboard

How to proceed from here

If you experience volumetric DDoS attacks and are an existing Attack Analytics customer, log into your account today and learn more about the DDoS attack itself and its surroundings.


If you’re not currently an Imperva customer or would be interested in learning more, you can request a demo.


Why not take this opportunity to escape alert fatigue and join those around the world uncovering ways of further protecting their digital assets?

The post Lift the DDoS Smokescreen: Investigate Underlying Attacks appeared first on Blog.

*** This is a Security Bloggers Network syndicated blog from Blog authored by Michael Rodov. Read the original post at:

Source link

The post #cybersecurity | #hackerspace |<p> Lift the DDoS Smokescreen: Investigate Underlying Attacks <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks

Source: National Cyber Security – Produced By Gregory Evans

chrome browser software update

Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days.

The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities, all of which have been marked ‘HIGH’ in severity, including one that (CVE-2020-6418) has been reportedly exploited in the wild.

The brief description of the Chrome bugs, which impose a significant risk to your systems if left unpatched, are as follows:

  • Integer overflow in ICU — Reported by André Bargull on 2020-01-22
  • Out of bounds memory access in streams (CVE-2020-6407) — Reported by Sergei Glazunov of Google Project Zero on 2020-01-27
  • Type confusion in V8 (CVE-2020-6418) — Reported by Clement Lecigne of Google’s Threat Analysis Group on 2020-02-18

The Integer Overflow vulnerability was disclosed by André Bargull privately to Google last month, earning him $5,000 in rewards, while the other two vulnerabilities — CVE-2020-6407 and CVE-2020-6418 — were identified by experts from the Google security team.

Google has said CVE-2020-6418, which stems from a type confusion error in its V8 JavaScript rendering engine, is being actively exploited, although technical information about the vulnerability is restricted at this time.

The search giant has not disclosed further details of the vulnerabilities so that it gives affected users enough time to install the Chrome update and prevent hackers from exploiting them.

A successful exploitation of the integer overflow or out-of-bounds write flaws could allow a remote attacker to compromise a vulnerable system by tricking the user into visiting a specially crafted web page that takes advantage of the exploit to execute arbitrary code on the target system.

It’s recommended that Windows, Linux, and macOS users download and install the latest version of Chrome by heading to Help > “About Chrome” from the settings menu.

The Original Source Of This Story: Source link

The post Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#school | #ransomware | Ransomware Attacks And Prevention | WSHU

Source: National Cyber Security – Produced By Gregory Evans

Hackers have used viruses to infect and hold municipal and institutional computer systems hostage. It’s happened to school districts in Connecticut and on Long Island. We’ll discuss how cybersecurity experts will prepare for future ransomware attacks, while others try to pay the hackers’ price, with guests:

  • Robert Dillon, Ed.D., district superintendent, Nassau BOCES
  • Phil Boyle, New York state senator, R-Bay Shore
  • Harvey Kushner, Ph.D., chair, Department of Criminal Justice and Cybersecurity, and director, Homeland Security and Terrorism Institute, Long Island University 
  • Fred Scholl, Ph.D., cybersecurity program director and associate teaching professor of cybersecurity, Quinnipiac University
  • Arthur House, former chief cybersecurity risk officer, State of Connecticut

Source link

The post #school | #ransomware | Ransomware Attacks And Prevention | WSHU appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Emotet attacks— a spike to start the year…

Source: National Cyber Security – Produced By Gregory Evans

The Emotet malware is a very destructive banking Trojan that was first identified in 2014. Over the years it has evolved with new capabilities and functionalities, prompting cybersecurity agencies like the Australian Cyber Security Centre and US-CERT to issue advisories. Emotet malware generally spreads via malicious documents that drop a modular Trojan bot, which is used to download and install additional remote access tools. We wrote a blog post in January 2019 about how the malware had changed tactics, leading to a spike in the number of Emotet malware attacks. In the last week, we have observed a spike in the number of Emotet malware transactions across our customer base. US-CERT has also issued a fresh advisory regarding the recent spate of attacks. 

Our research has discovered that the Emotet malware is still very active and continues to be one of the most destructive malware attacks. The malware has evolved through the years, and the actors behind Emotet have used the infected endpoints to build out a formidable botnet that is used to distribute multiple malware families such as Trickbot and Dridex, as well as ransomware such as Ryuk.


After taking a break through the holiday season in 2019, Emotet malware attacks have restarted in 2020, this time targeting the financial services industry. Similar to previous versions, the Emotet malware is only just the initial attack vector used to launch the attack. The attack is initiated with a malicious Microsoft Word document that is designed to be downloaded and opened by the user. Once opened, the malicious macro executes and contact is made with the command-and-control server to initiate the next stage of the attack.  


Menlo Security Research analyzed the topics listed below to gain a better understanding of this most recent Emotet malware attack. Data for this analysis was obtained from the Menlo Security Cloud Platform, which supports millions of users across all industries, including financial services, educational institutions, and the military. In addition to analyzing the Emotet document macro and loader, the analysis breaks down the following for this most recent Emotet malware attack spike and shows the distribution of the industries affected.

  • Emotet Kill Chain
  • Industries targeted
  • Distribution of Emotet hosting domains
  • Emotet controller IP distribution



Recent news shows that Emotet infections have crippled daily operations in a number of organizations. Emotet usually propagates in bursts, through delivery of malicious documents via mass compromised websites. Each infected host is then used to build out a botnet. The Menlo Security Research team noticed a spike in Emotet malware activity in January 2020. This spike was detected through our cloud isolation platform, which renders email attachments and websites visited from emailed links remotely, eliminating the possibility that malicious documents would reach an end user’s computer.  


The spike in activity occurred during January 14–22, affecting customers using our isolation service in the United States, Europe, and Asia. The following chart shows a spike in the number of Emotet document requests from January 14–22, 2020. 


The chart above shows a Spike in Emotet Malware Detected


The Emotet Kill Chain

Like other Emotet malware versions, this recent attack also used malicious macros in a Microsoft Word document. The emails were crafted to appear as legitimate banking or financial transactions. Some examples of the subject lines used in this most recent campaign are given below.


Picture 2

Picture 3

The January 2020 campaign appeared to follow the kill chain similar to the attacks observed in late 2019. The initial attack is used only to gain a foothold in the network and establish contact with the command-and-control server. Once in place, additional malware is downloaded and the malware attempts to spread to other computers on the same network.


Emotet Malware Kill Chain

Picture 4


From the above flow, we can divide the Emotet kill chain as follows:

  • Hosting of malicious documents via compromised websites.
  • Every malicious document has an embedded macro with a list of stage one URLs to try (usually three or four in the list, depending on the sample).
  • The Emotet loader establishes a command-and-control channel by selecting a server IP from a list of built-in C2 IP addresses.


Distribution and Infrastructure

Our data shows that the January 2020 campaign targeted financial services companies primarily in the United States. The following charts show the industry/vertical distribution and regions where these requests came from. Other industries and geographies were included in the attack, though to a far lesser degree.

Picture 5


One of the techniques that Emotet malware uses is to distribute itself through other compromised legitimate websites, essentially creating new zero-day attacks. This makes the malware particularly difficult to protect against since the source of the malware is constantly changing. The following chart categorizes the distribution of the initial delivery URLs that served the malicious documents. The data shows very clearly why Emotet malware continues to evade security defenses and wreak havoc: 76 percent of the URLs used to distribute Emotet malware are actually categorized as safe by the leading threat intelligence databases. Some of the compromised websites were from academic institutions. This means that security products would not block or prohibit users from accessing and downloading content from these sites. Fortunately, Menlo Security customers were fully protected, because these malicious sites would have been viewed in isolation—completely protecting the end user.

Picture 6


Malicious Document Macro

Once the embedded macro inside the document is enabled, it spawns PowerShell to try a list of URLs to fetch the initial Emotet loader. Some observations of the macro behavior:

  • The macro constructs the PowerShell command by decoding data from a user form.
  • The PowerShell code is stored as a “Tag” property of a frame in the user form, and this frame is used to mask the other elements in the user form.
  • The PowerShell code that finally gets executed is Base64 encoded, which tries to download the Emotet loader by trying a list of URLs.
  • Uses Net.WebClient.DownloadFile to download the URL and [Diagnostics.Process]::Start to start the process if the download was successful.

Picture 7


Current Emotet Loader and Controller Infrastructure

Further analysis shows that the January 2020 Emotet malware was a far-reaching campaign that was executed through multiple networks. A concentration of IP addresses occurred in certain countries with global financial centers.

Picture 8


The final Emotet bot that gets dropped is usually a modular Trojan that establishes a command-and-control channel by choosing an IP from a list of IP addresses in its config file. The Emotet loader is very well researched and documented, so we will not get into the inner workings of this bot here. Some of the variations we observed:

  • We noticed that the initial dropper copies itself to “SysWOW64” and is invoked with a parameter that looks like a random number (–94737736).
  • Other characteristics exhibited were typical of a standard Emotet loader:
    • Extract system information, enumerate running processes (CreateToolhelp32Snapshot), bundle it using protobuf, and encrypt using an AES key (which is secured with an embedded RSA public key).
  • The encrypted POST request to the C2 IP seems to use a randomly generated string param that is form-urlencoded, which seems to be a slight change from previous payload URL patterns.
  • In some of the controller IPs, we observed HTTP traffic being sent over port 443.
  • A sample encrypted C2 payload is shown below:

Picture 9



The Emotet malware has built a formidable infrastructure over time and can be destructive to an organization if not mitigated in a timely manner. Its techniques of leveraging multistage attacks and distributing malicious code through legitimate websites make the Emotet malware particularly hard to prevent with traditional security products that rely on signatures or threat intelligence.


To protect against Emotet malware attacks, enterprises should:

  • Be wary of macro-enabled, untrusted Office documents.
  • Vet PowerShell execution policies for Windows users in an organization.

For threat response teams: Keep a close watch on the techniques used by the Emotet actors; has a specific ATT&CK framework page for Emotet.


Email and web isolation can provide complete protection from Emotet malware by inserting a secure, logically air-gapped execution environment in the cloud between the user and the malware. By executing sessions away from the endpoint and delivering only safely rendered information to devices, users are protected from malware and malicious activity. The result is that Emotet malware cannot infect a device it cannot reach. Isolation eliminates the possibility of malware reaching user devices via compromised or malicious websites, email, or documents. This approach is not detection or classification; rather, the user’s web session and all active content (JavaScript, Flash, etc.)—whether it’s good or bad—is fully executed and contained in a remote web browser in the cloud. Menlo Security has helped hundreds of Global 2000 companies and major government agencies use isolation to protect against Emotet and other malware, as well as phishing attacks, drive-by exploits, and other web- and email-based attacks.

Contact Menlo Security today to learn more about the Menlo Security Secure Internet with an Isolation Core™.


Source link

The post #cybersecurity | #hackerspace |<p> Emotet attacks— a spike to start the year… <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Malware volume drops, crytptojacking down 78%, stealthy attacks on web apps double

Source: National Cyber Security – Produced By Gregory Evans

Good news as volumes of attacks drop, but bad as attackers turn to stealthier attacks on softer targets

Global malware attacks fell for only the second time in five years, dropping six percent to 9.9 billion, down from 10.5 billion, according to a new report. 

This seeming good news is not all it seems however, with attackers eschewing large volume attacks in favour of more evasive and targeted attacks on soft targets. In other ‘good’ news, ransomware attacks also dropped nine  percent to almost 188 million, while the volume of cryptojacking incidents plummeted 78 percent in the second half of 2019. This last is probably due to the volatile crypto market directly impacting revenues for hackers, as well as the shuttering of browser-based Monero-mining service Coinhive in March 2019. 

However, the bad news is that hackers have turned their attention to more lucrative targets, with web apps such as Dropbox and Slack seeing a huge uptick in attacks, up 52 percent in the past year to 40.8 million. According to the 2020 SonicWall Cyber Threat Report the overall internet trend towards encrypting traffic has been reflected in hacking too, with a rise in encrypted threats of 27 percent, totalling up to almost four million.

In addition, fileless malware and a range of new techniques (including code obfuscation, sandbox detection and bypass) saw a rise in popularity, with new threats hiding in common and trusted file types such as Office (20.3 percent) and PDFs (17.4 percent). Indeed, these two file types represented 38 percent of new threats detected by SonicWall.

Terry Greer-King, VP EMEA at SonicWall told SC Media UK that cyber-criminals are becoming smarter and more ambitious than ever before: “They now spend more time honing their craft, targeting vulnerable IoT devices and aiming ransomware at the highest-value targets most likely to payout. With hackers doubling their attacks on popular web apps used for work and everyday needs, financial and personal information within those services is now more vulnerable than ever. Sold on the dark web for a profit, there’s no telling where these details will end up.”

Interestingly, another trend highlighted by the report is a rise in IoT attacks, which saw a moderate five percent increase, with a total volume of 34.3 million attacks in 2019. With IoT Devices widely tipped for an exponential rise (one industry study predicts the global IoT security market will to reach or exceed £27 billion by 2023, a spike of 33.7 percent), the stage is set for increased volumes of IoT attack traffic as device penetration and deployment increases. 

“Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks. It will continue to be crucial to secure and manage IoT devices to prevent tampering and unauthorised access. As the report testifies, data will continue to be put under threat by malicious actors, often across changing vectors, and so it is hugely important that businesses and governments are proactive in protecting this.”, summarised Greer-King.

The report found that the most popular ransomware family of 2019 (making up 33 percent of all ransomware attacks), was Cerber, also boasting four of the top 10 ransomware signatures of the year, including the top two spots totaling more than 77 million hits. 

Source link

The post #deepweb | <p> Malware volume drops, crytptojacking down 78%, stealthy attacks on web apps double <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Interpol Arrests 3 Indonesian Credit Card Hackers for Magecart Attacks

Source: National Cyber Security – Produced By Gregory Evans

Indonesian magecart hacker arrested

The Indonesian National Police in a joint press conference with Interpol earlier today announced the arrest of three Magecart-style Indonesian hackers who had compromised hundreds of international e-commerce websites and stolen payment card details of their online shoppers.

Dubbed ‘Operation Night Fury,’ the investigation was led by Interpol’s ASEAN Cyber Capability Desk, a joint initiative by law enforcement agencies of Southeast Asian countries to combat cybercrime.

According to the press conference, all three accused (23, 26, and 35 years old) were arrested last year in December from Jakarta and Yogyakarta and charged with criminal laws related to the data theft, fraud, and unauthorized access.

Just like most of the other widespread Magecart attacks, the modus operandi behind this series of attacks also involved exploiting unpatched vulnerabilities in e-commerce websites powered by Magento and WordPress content management platforms.

Hackers then secretly implanted digital credit card skimming code—also known as web skimming or JS sniffers—on those compromised websites to intercept users’ inputs in real-time and steal their payment card numbers, names, addresses and login details as well.

Though Indonesian police claim these hackers had compromised 12 e-commerce websites, experts at cybersecurity firm Sanguine Security believe the same group is behind the credit card theft at more than 571 online stores.

“These hacks could be attributed because of an odd message that was left in all of the skimming code,” Sanguine Security said.

“”Success gan’ translates to ‘Success bro’ in Indonesian and has been present for years on all of their skimming infrastructures.’

The police revealed that the suspects used stolen credit cards to buy electronic goods and other luxury items, and then also attempted to resell some of them at a relatively low price through local e-commerce websites in Indonesia.

js credit card skimmer

On an Indonesian news channel, one of the accused even admitted to hacking e-commerce websites and injecting web skimmers since 2017.

Moreover, experts also observed similar cyberattacks linked to the same online infrastructure even after the arrest of three people, and thus believes that there are more members of this hacking group who are still at large.

The Original Source Of This Story: Source link

The post Interpol Arrests 3 Indonesian Credit Card Hackers for Magecart Attacks appeared first on National Cyber Security.

View full post on National Cyber Security

#nationalcybersecuritymonth | US election still vulnerable to attacks, despite security improvements

Source: National Cyber Security – Produced By Gregory Evans Days away from the Iowa caucuses, and less than 11 months from the general election, voting and election security continues to be a challenge for the U.S political system. Threats to a secure election appear to loom as large today as they did in 2016, when […] View full post on