STE WILLIAMS

Security researchers at Visa have spotted a unique JavaScript payment card-skimmer that tries to evade detection by removing itself from the HTML code of a compromised website after it successfully executes.

In a security alert, Visa’s Payment Fraud Disruption (PFD) group described the self-cleaning mechanism as something they have not previously encountered in the wild with JavaScript skimmers, although it is common with desktop malware. “[It] marks a significant development in JavaScript skimming,” Visa warned.

Visa’s researchers discovered Pipka — as they are calling the malware — on a North American e-commerce site that had been previously infected with Inter, another JavaScript malware for skimming payment-card data from merchant sites. Since that initial discovery, Visa has identified at least 16 other e-commerce sites that Pipka has infected.

Visa’s alert did not disclose whether the operators of Pipka had actually managed to steal payment card data from these sites, and if they had, what the scope of the theft might have been. “PFD assesses that Pipka will continue to be used by threat actors to compromise eCommerce merchant websites and harvest payment account data,” the alert said.

Sam Cleveland, senior analyst at Visa’s PFD team, says Visa presently is unable to provide any information on payment card fraud or theft related to Pipka. “Visa does not have this information to share due to this being an ongoing investigation,” Cleveland says.

JavaScript skimmers like Pipka are designed to do what credit-card skimmers do in the physical word, which is to steal card data that can be used to make fraudulent purchases. Often, threat actors have sneaked these skimmers on e-commerce sites via third-party components that these sites use for things like online shopping carts, customer-support, and visitor tracking.

Threat actors belonging to the cybercrime syndicate Magecart in particular have stolen data on tens of millions of debit and credit cards by placing such skimmers — including Inter — on thousands of high-traffic ecommerce sites worldwide over the past few years.

Just like Inter and other electronic card skimmers, Pipka is designed to let attackers extract the cardholder name, payment card account number, expiration date, CVV, and other data from the checkout pages of e-commerce sites. Visa’s alert noted that threat actors are injecting Pipka directly into different locations on e-commerce websites.

But Cleveland declined to provide any more information on how attackers might be doing that, once again citing the ongoing nature of the malware investigation. He describes Pipka’s victims so far as being a mix of small- and medium-sized e-commerce merchants.

A Configurable Threat

According to Visa, attackers can configure Pipka so it captures data from specific fields that individuals use to enter payment card details when making a purchase on an e-commerce site. The malware is designed so it can recognize and collect data even from e-commerce sites that use one page to collect billing data, and a separate page to collect payment card data.

Harvested data is Base64 encoded (turning binary data into text) and encrypted using ROT13, a cipher that substitutes each letter of the alphabet with the 13^th letter after it. The encoded, encrypted data is then stored in either a key or a cookie for later exfiltration to a remote command and control server, Visa said.

Pipka’s anti-analysis mechanism kicks in immediately after the skimmer executes after the initial script loads. Because the self-cleaning happens so quickly, it is difficult for security analysts and website administrators to spot the code on a compromised page.

The anti-analysis feature is not the only aspect about Pipka that is unique. The manner in which the malware transmits stolen data to the command and control server is also different from other electronic skimmers. Similarly, while attackers have sometimes implemented ROT13 on the server that stores skimmed data, Pipka is the first skimmer where the cipher has been implemented in the malware itself, Visa said.

Visa’s PFD listed several measures e-commerce sites can take to mitigate their exposure to Pipka and similar threats.

Among them was the need for organizations to implement recurring checks for communications with potential C2 servers and keeping an eye on the code in third-party components. Visa also recommended that site administrators keeping their shopping cart and related payment software properly updated and patched and to deploy a Web application firewall to block malware and malicious requests from the website.

Related Content:

• Magecart Skimmers Spotted on 2M Websites
• MageCart Launches Customizable Campaign
• New Software Skims Credit Card Info From Online Credit Card Transactions
• 7 Signs of the Rising Threat of Magecart Attacks in 2019

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/self-cleaning-payment-card-skimmer-infects-e-commerce-sites/d/d-id/1336358?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Article source: https://www.darkreading.com/emerging-threats/d/d-id/1334297?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you consider cybersecurity breaches to be the “new normal,” you’re in good company. A recent survey conducted by Kaspersky Lab revealed that 86% of 250 top security officials who participated believe that cybersecurity breaches are inevitable. The complexity of today’s cyber environments guarantees that every company is on a path to a breach. Cloud adoption that leads to hybrid environments spread across different locations and teams, the use of containers, a permeable perimeter — all these factors broaden the attack surface and challenge our existing approach to managing threats.

Shipbuilders Expect Failure and Plan for It, and You Should Too
The security industry clearly could be doing more regarding breach management. Though we spend billions of dollars and likely prevent lots of bad stuff, the number of high-profile breaches causing devastating damage is constantly increasing and, with it, the exponential growth of exposed records and sensitive customer data. And why? Because unlike other industries, we fail to plan for failure.

Take shipbuilding, for example. Shipbuilders have engineered their systems for failure by, among other things, segmenting the hulls of their ships and limiting access to the ship’s engine room to contain damage if a breach happens. It’s been done this way since the 15th century, and it’s still being done in today’s modern vessels. The lessons learned from shipbuilders can be applied to modern IT security. Here are a few security principles that reflect this:

1. Shipbuilders assume that at some point the ship will suffer a leak, and so they create hulls that prevent a single leak from sinking the entire ship. In the same way, assume a breach in your corporate environment and segment your network. This way, if there’s malware in the testing environment, other sensitive environments such as development, production, and the DMZ won’t be affected. Lack of segmentation allows attackers to move with ease to critical areas once they make it through the perimeter, much the same way water would flow throughout the entire ship if the hull wasn’t segmented.
2. Staff responsible for maintaining the ship’s hull monitor for leaks or weak points patch regularly to keep precious cargo and crew safe. In the same way, modern security teams must be vigilant about monitoring and patching to prevent proverbial cracks in the perimeter and potentially bigger problems.
3. The ship’s most sensitive tools are hosted in the engine room. To protect your crown jewels, fence your critical IT assets to make sure they are not damaged in case of a network breach.
4. Consider ships that staff their lookouts 24/7 in order to keep a watch on everything, and direct course correction if necessary. Similarly, think about maintaining complete visibility throughout the entire data center down to the application level. Gaining visibility of an increasingly complex and dynamic ecosystem is a must before you can “change course” or put any policy or controls into place.
5. Keeping the crew from accessing the ship’s bridge is an important safety measure. Likewise, in the cyber world we advise that you base your policy on user identity to ensure that your employees, contractors, and remote users access only what they’re entitled to. The result is greater security for your business-critical applications that can be accessed only by authorized users.

In the past two years alone, there have been several examples that point to a lack of visibility and segmentation as the No. 1 cause for large-scale breaches. With a breach of the scale of Equifax — one of the largest cyberattacks of all time, affecting 148 million consumers in 2017 — the US House of Representatives Committee on Oversight and Government Reform report on the breach mentions “the company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation” as an insight into how Equifax “allowed attackers to access and remove large amounts of data.”

Equifax’s lack of a well-implemented segmentation strategy allowed attackers to gain access to dozens of databases that contained personally identifiable information in an attack that lasted over 75 days. WannaCry, the largest malware infection in history, could have also been better contained if companies had patched their systems against the MS10-010 vulnerability that allowed its exploitation. Recall, however, that with WannaCry, organizations didn’t realize they had a vulnerability that needed patching or were unable to do so. Even without patching, had network segmentation been deployed, affected organizations would have been able to enforce security policies and prevent the worm from moving laterally across their environments. 

Anticipate the Breach. Patch. Segment.
With threats at the scale of Equifax and WannaCry, it would be easy to assume that the attackers used a complex attack pattern or took advantage of a new vulnerability that flew under the radar. Yet these attacks were made possible by unpatched systems and the lack of network segmentation. By embracing the chaos to come and anticipating attacks that can be stopped by network segmentation and better visibility into the data center, businesses are less likely to be sunk by a breach and can ensure the longevity of their company. 

Related Content:

• 8 Trends in Vulnerability and Patch Management
• The Uphill Battle of Triaging Alerts
• The State of Email Security and Protection
• Quantifying Security Results to Justify Costs

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Ariel Zeitlin co-founded Guardicore after spending 11 years as a cybersecurity engineer and researcher at the Israeli Defense Forces (IDF), where he worked closely with co-founder Pavel Gurvich. In his last position at the IDF, Ariel led a team of 30 engineers and researchers … View Full Bio

Article source: https://www.darkreading.com/cloud/breaches-are-inevitable-so-embrace-the-chaos/a/d-id/1336286?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

2019 likely will break a record for the most data breaches and exposed records ever, according to a new report.

There were 5,183 data breaches reported with 7.9 billion records exposed in just the first nine months of this year, according to Risk Based Security, which tracks publicly reported breaches. That’s an increase of 33.3% in breaches and 112% in total records over the same period in 2018.

Some 3.1 billion of the exposed records came from six breaches between July 1 and Sept. 30, the report found.

“While malicious actors have been responsible for most incidents, it is accidental exposure of data on the Internet that has put the most records at risk,” said Inga Goddjin, executive vice president of Risk Based Security. “This year over 6 billion records have been made freely accessible, thanks to misconfigured databases, backups, endpoints, and services. The widespread availability of tools useful for identifying such leaks coupled with an interest in reporting – as well as taking advantage of – these exposures has fueled the growth in the number of records compromised.”

Read the full report here. 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/2019-trending-as-worst-year-on-record-for-data-breaches/d/d-id/1336348?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A cyberattack limited to one organization can be enough to cause significant financial loss, data compromise, and long-term damage. When an attack extends to several victims, as is increasingly the case with enterprise incidents, the effects quickly multiply.

Researchers say these so-called “ripple events” typically involve a breach of one central victim that leads to downstream losses at other third parties. The effects often span degrees of separation, with loss events at other fourth-, fifth-, and further parties as well. A new study conducted by the Cyentia Institute and commissioned by RiskRecon investigates the steady growth of these multi-party attacks and the extent of collateral damage that spans organizations when they occur.

Consider the American Medical Collection Agency (AMCA) breach disclosed in May. This compromised personal data of 24 million individuals, most of whom didn’t have a direct relationship with the AMCA but gave data to other entities, which passed it to AMCA for debt collection. The breach compromised AMCA systems; its effects hit 23 healthcare organizations, three professional services firms, two business support entities, and a manufacturing company.

Cyentia’s findings demonstrate how financial losses can quickly multiply as an incident expands. Financial loss from ripple events is 13 times larger than in single-party attacks, researchers report. The average multi-party breach affects 10 firms beyond the initial victim; however, the most severe incident spanned 131 organizations outside its original target. And these attacks are growing more common: researchers noticed a 20% annual increase each year since 2008.

“We’ve studied breaches for a long time, but not from a ripple effect perspective,” says Wade Baker, partner and cofounder of the Cyentia Institute. The study was informed by Advisen’s Cyber Loss Database, which has more than 90,000 cyber events from publicly verifiable sources. The dataset links businesses affected by the same incident and tracks losses. Cyentia tracked 813 incidents affecting three or more organizations since 2008. Adjusting for repeat victims, researchers identified 512 firms central to an incident and 4,180 which experienced losses.

Oftentimes businesses that collect data from, or share data with, a target organization don’t know a breach has happened, adds Kelly White, founder and CEO of RiskRecon. “It’s not like we know the impact of a data loss event on day one,” he notes. “It can take months, and in some cases years, to unwind and see who all is impacted.”

While totals for 2017, 2018, and 2019 are still in the works, researchers predict multi-party breaches will continue to grow in number.

Where It All Begins

Researchers point to data aggregators and processors as the most common originators of downstream loss. Roughly half of all ripple events are generated by the business support (24.4%) and finance (23.7%) sectors, followed by the information (9.7%) and public (7.1%) sectors. More specifically, the most popular targets include collection agencies (13.4%), commercial banking (10%), credit bureaus (7.9%), and executive offices (3.7%), they found.

“When one of them is breached or has a problem, you potentially affect all those parties that feed them information,” Baker says. But while it’s easy to get caught up in where these breaches start, risk managers can learn more if they consider where the ripple effect goes.

The organizations affected downstream typically collect vast amounts of valuable data, have large digital footprints, and maintain a wide network of third-party relationships. Finance is top of this list (18.9%), followed by business support (16.2%), and professional (15.9%) sectors. Credit bureaus (9.3%), commercial banking (7.7%), and hotels (4%) are most often affected.

Taking a closer look at where the downstream effects go, researchers found business support-focused attacks most commonly affect credit intermediation and related activities; however, they also hit professional services and ambulatory healthcare services. Security incidents affecting credit bureaus most commonly catch business support firms in their downstream effects, along with professional services. Attacks targeting professional services firms have an extended effect on business support, credit activity, ambulatory health care, and publishing.

“Outsourced services are really juicy targets,” says White. “Compromise a service provider and you can get access to hundreds of thousands of records from multiple companies.”

Companies need to know who their third parties are; who they’re sharing data with, he continues. Further, they should be monitoring public channels including news reports and regulatory filings to learn about disclosures when a vendor has been breached.

Related Content:

• 8 Tips for More Secure Mobile Computing
• Unreasonable Security Best Practices vs. Good Risk Management
• While CISOs Fret, Business Leaders Tout Security Robustness
• Microsoft Patches IE Zero-Day Among 74 Vulnerabilities

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-ripple-effect-of-data-breaches-how-damage-spreads/d/d-id/1336351?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It seems as if there is a story in the media every day about a new cybersecurity incident. Cyberattacks are becoming increasingly sophisticated; no longer are they about a quick exploit of a credit card number but, rather, advanced attacks on large databases with millions of customer details, or intellectual property that is exfiltrated after a weaponized document attack. Furthermore, the commercialization of malware is making it increasingly easy for individuals to mount attacks with very little knowledge — just a pocketful of bitcoins to buy the required malware application and some expertise.

The British Airways fine of £183 million over a passenger data breach has had one positive impact — it’s given board members a well-needed push to pay attention to the importance of cybersecurity. Our recent survey found that almost one-third of companies (32%) referenced General Data Protection Regulation fines against British Airways and Marriott as a primary reason for an increase in board-level involvement and provision in IT security spending.

Global organizations aren’t the only ones being damaged by malicious activity. Recently, research revealed that 70% of financial companies have experienced a cybersecurity incident in the past year. This demonstrates the real, growing threat of data breaches and malicious activity, and highlights the speed needed to tackle the problem. However, mitigating attacks is not a one-size-fits-all situation. With new tech emerging each day, recognizing one type of threat won’t necessarily help you spot another.

Where to Start?
At long last, organizations are realizing the need for increased investment in cybersecurity. In fact, 73% of financial businesses surveyed would like to see an increase in cybersecurity investment. Clearly, the unprecedented level of costly data breaches over the last six months has forced C-suite executives to sit up and think about what they can do to prevent it happening to their business.

Good security is more than just technology. Before throwing money at a problem, you must truly understand the issue. In this case, where is the information? Who has access to it? How do they access it? The cloud has brought unprecedented agility to organizations but has also introduced risk as business processes continue to evolve.

Organizations are beginning to understand the problems associated with cloud-based services such as OneDrive and Dropbox. An important lesson from the recent SharePoint hack was that just because a cloud service provider is well known doesn’t mean it’s secure. An organization may also not be directly targeted by an attack but still get caught up in the collateral damage of a hack against the cloud provider. Those organizations with disaster recovery/business continuity plans need to update them to include cyber threats as well as physical ones.

Educate to Mitigate
Cybersecurity tools are a last line of defense, a safety net, but should not be relied on as an overall solution. Organizations must continually educate their employees on cybersecurity risks, including data breaches, and how to recognize and mitigate them. The need for cyber education has never been greater, with nearly half of cybersecurity incidents over the last 12 months caused by internal errors such as employees failing to follow security protocols or data protection policies. With human error accounting for such a large number of incidents, technology is the safety net to prevent such mistakes.

There is also a need for improved processes, not just around secure information handling, but also around what to do when there is a problem — or when an employee thinks there is one. While it would be great to think that employees can recognize threats, such as phishing emails, or business email compromise (BEC) scams, they often don’t. Having a well-understood process about who to contact and what happens next is critical for building a culture that has information security at its core.

A portion of the cybersecurity budget should be set aside to provide training for all employees, from the CEO to staff working in the cafeteria, with additional training for those working in finance and human resources. If an employee brings a security incident to the attention of IT, there must be a “don’t shoot the messenger” mentality — otherwise, others will be put off coming forward and try to deal with the problem on their own, and that’s an even bigger problem.

New security solutions to mitigate the latest threats are not free and should be considered. But before rushing out to spend money, it is worth revisiting current solutions. Have there been updates with new functionality that have yet to be deployed or configured, or are there other add-on options that can be purchased rather than a rip-and-replace approach?

Of course, the methods that cybercriminals use evolve every day and so does technology. An agile approach to cybersecurity is needed to protect the organization in the short, medium, and long terms, with a constant vigilance by the IT department watching for tell-tale signs of compromise.

Above and Beyond
The high-profile breaches we’ve witnessed recently should jumpstart an ongoing effort to invest in the security of organizations, including investing in employees.

C-suite executives must go above and beyond, setting an example of good cybersecurity practices and leading from the front while also supporting the IT department with enough budget to protect the organization from next-generation cyberattacks.

Related Content:

• 8 Trends in Vulnerability and Patch Management
• 9 Principles to Simplify Security
• To Prove Cybersecurity’s Worth, Create a Cyber Balance Sheet
• Enterprise Web Security: Risky Business

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Account Fraud Harder to Detect as Criminals Move from Bots to ‘Sweat Shops’.”

Guy Bunker is an internationally renowned IT expert with over 20 years’ experience in information security and IT management. He currently holds the position of CTO at data security company Clearswift, and was previously the Global Security Architect for HP. Prior to that, he … View Full Bio

Article source: https://www.darkreading.com/cloud/cybersecurity-an-organizationwide-responsibility/a/d-id/1336314?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple