John Leyden May 04, 2021 at 14:20 UTC
Updated: May 18, 2021 at 12:55 UTC
Website vulnerabilities abused in new hacking campaign
An established organized crime group has changed tack by launching attacks on e-commerce stores that exploit cross-site scripting (XSS) exploits instead of traditional phishing lures.
The group, nicknamed “Water Pamola” by Trend Micro, has been attacking e-commerce stores in Japan, Australia and European countries for two years using spam emails containing malicious attachments.
This malicious code is inserted into the field where the customer’s address or company name normally resides.
The rogue script is likely activated by exploiting an XSS vulnerability in the administration portal of a targeted store, according to Trend Micro.
“Malicious behavior performed by scripts includes page grabbing, credential phishing, web shell infection, and malware delivery,” says infosec in a report. blog post on the current campaign.
Data breach related to Water Pamola
In at least one instance, the administrators of a website victim of Water Pamola subsequently revealed that they had suffered a data breach.
Their server was illegally accessed and personal information including names, credit card numbers, card expiration dates, and credit card security codes potentially leaked.
This indicates a Magecart type attack with the twist that cybercriminals are not looking for a specific ecommerce framework, but ecommerce systems in general.
PREVIEW Magecart attacks: the cat and mouse game continues in 2021
“If the store’s e-commerce system is vulnerable to XSS attacks, the malicious script will be loaded and executed on the merchant’s management panel once someone (such as a system administrator or store employee) opens the [malicious] order, âconcludes Trend Micro.
The attack scripts were handled with an XSS attack framework called ‘XSS.ME‘, which cybercriminals have developed and customized to go beyond out-of-the-box capabilities to steal location and browser cookies.
The source code for this framework is shared on many Chinese public forums, according to Trend Micro.
The same attackers also use a secondary attack line that relies on social engineering to phish credentials or trick recipients into downloading malware under the guise of an Adobe Flash update.
There are several groups of Magecart attackers. They usually embed a skimmer in e-commerce web pages (through exploitation of a vulnerability, accessing the victim’s network, compromising third-party libraries, etc.).
Each time data is entered into a form, the skimmer sends a copy of the data to a command and control server.
In short, Magecart-type attacks target website visitors, while Water Pamola targets website administrators, Trend Micro’s Jaromir Horejsi said. The daily sip.
“The attacker discovered [an] XSS vulnerability in [the EC-CUBE] framework, which is popular in Japan, so Japanese sites are targeted, âHorejsi explains. “We can only speculate as to why they target websites created with [a] popular setting in Japan in the first place.
âAlthough the number of targeted e-commerce stores is not high, we must remember that each online store can have many customers,â the researcher concluded.
READ MORE PHP package manager flaw left millions of web apps exposed to abuse