Upload
others
View
5
Download
1
Embed Size (px)
Citation preview
© 2020 Akamai | Confidential1
Decoding Magecart/Web Skimming attacks during the rise in digitalAseem AhmedSr. Product Manager, Web Security (APAC)
© 2020 Akamai | Confidential2 * Source: Akamai
COVID-19 Internet Landscape
* 30 per cent increase in transactions in one month
* traffic growth jumped 30 per cent year in a month
© 2020 Akamai | Confidential3
Remote Work
Phishing
Malware
COVID-19 AND THE PERFECT SECURITY STORM
Web Skimming
© 2020 Akamai | Confidential4
Web Skimming and FormjackingMore frequent and more costly
© 2020 Akamai | Confidential5
www.akamai.com 68% - 3rd party scripts
80 hostnames
Webpages are more complex now
© 2020 Akamai | Confidential6
Third Party requests average 67% of all requests across all Akamai customers
Over 80% of pages contain at least one known third-party library security vulnerability (CVE)
67%Average 3rd Party resources per page
72%
76%
80%
84%
Nov-18
Dec-18
Jan-19
Feb-19
Mar-19
Apr-19
May-19
Jun-19
Jul-19
Aug-19
Page
s w
ith V
ulne
rabl
e JS
(%)
Source: Security and Frontend Performance, Challenges of Today: Rise of Third Parties; Akamai Technologies and O'Reilly Media, 2017
Sources: https://httparchive.org/reports/state-of-the-web#pctVuln
83.2%
External Code and Known Security VulnerabilityThe problem is real and happening now
© 2020 Akamai | Confidential7
JavaScripts Attacks Skim Data From Forms Many attacks can go undetected for months
1 week 1 month
up to 7 months
6 months
First-Party AttacksAttack first-party scripts located directly on the backend infrastructure
E-commerce Platforms Attacks
Third-Party Attacks Third party attacks vendors, supply-chain, and open source libraries
1 month
© 2020 Akamai | Confidential8
JavaScript Attack Vectors
Third party and Supply-chain
Site Origins
Malicious code executes Adversaries compromise JavaScripts
Direct injection via backend
infrastructure
Credit Card/ PII Skimmed
Sent back to AdversariesHidden
malicious code in interaction
TrustedSites
Malicious code injected into trusted sources
© 2020 Akamai | Confidential9
Attack Examples and TargetsAffects all websites with sensitive data
First-Party AttacksAttack first-party scripts located directly on the backend infrastructure
Targets e-commerce platforms
Attackers targets third-party e-commerce platforms; many popular platforms have been compromised by Magecart attacker.
Attackers take advantage of the security weaknesses in third-party client-side code including JavaScripts and open source libraries.
Magecart attackers were able to hack into the companies’ backend infrastructure and inject malicious code along side the company’s existing code
Third-Party AttacksThird party attacks vendors, supply-chain, and open source libraries
ECommerceMany retail, consumer,
and event ticketing sites were attacked
Travel & Hospitality Multiple airlines and
hotel chains lost customer data
Media Popular streaming service companies lost payment and
account info
PublishingNews sites, eZines,
and others lost account info
© 2020 Akamai | Confidential10
Pipka Attack Example
● Targets eCommerce sites to skim credit card information○ Content is hidden via encoding and
encryption○ Exfiltration to hacker-controlled website
using HTML image source tag request
○ Self-Deleting after theft
Hard toDetect
© 2020 Akamai | Confidential11
Fake Payment Form• Payment Forms
○ Internally developed
○ External payment service providers (PSPs)
• Payment forms are protected by○ Redirecting to a PSP
○ iframe sensitive areas of the website
○ CSPs
• Attackers overlay or replace iframe and collect sensitive data
© 2020 Akamai | Confidential12
• When trusted parties get compromised and becoming the attack vector, CSPs can’t detect and monitor.
• CSPs are hard to implement and maintain and if too tight, can lead a lot of false-positives.
• In the real world, teams are asked to whitelist assets coming from a common cloud storage and open source project – which can leave the site vulnerable.
Measures for script protectionContent Security Policies (CSP)
When CSPs whitelist common cloud storage as trusted origins, it can lead to vulnerabilities.
© 2020 Akamai | Confidential13
• Static scanners do not monitor all real-user sessions and detect vulnerabilities in real time.
• Malicious code can be invisible to many synthetic site scanners by mimicking Anti-Bot techniques.
• Code obfuscation techniques can mask attacks from scanners.
• In one such Magecart attack, the script placed on the final checkout page, skimmed personal credit card info from unsuspecting customers.
• hackers modified JavaScript to only carried out following the user's interaction ‘mouseup’ or ‘touchend’
The Malicious Code Used in one such Hack
The stolen data was then transferred to a server with a similar domain name and a HTTPS certificate that the hackers had set up in advance.
Measures for script protectionStatic Scanners
© 2020 Akamai | Confidential14
Why do we need a different approach?
Stealing sensitive customer data is not new but…• Hackers have developed new techniques to
compromise browsers hiding malicious code in scripts
• Security teams can't test for these attacks and can't see them
• Restricting script use will impact business agility and user experience
• New security controls are needed to counteract this problem
3.7M
Websites compromised monthly
Source: Symantec 2019 Internet Security Threat Report
78%2018 Supply Chain Attacks
4,800
Web-SkimmingAttacks Yearly
© 2020 Akamai | Confidential15
What do you need?
Protection from Hidden
Malicious Code
Visibility into Script Attacks
Simple Deployment,
Administration and Real time
alerting
© 2020 Akamai | Confidential16
Demo Attack Test Site
● Forms Test Site attacked with malicious JS code ○ Fully functional
eCommerce checkout page form
○ Used white-listed domain
- Demo asset
Malicious JS code
© 2020 Akamai | Confidential17
Web Skimming Attack ResultsImmediate Visibility, Detection, Assessment
• Suspicious behavior immediately detected
• Destination not blacklisted
• No manual intervention
• Behavior detection model set a critical risk score
Credit Card info taken
High Risk Score
© 2020 Akamai | Confidential18
• Form jacking / Magecart attacks are rapidly growing• Malicious code is getting into application scripts• Current CSP and static scanning protections can’t keep up• Security teams aren’t equipped well do deal with this attack vector • Most businesses lack visibility into full 3rd party JavaScript ecosystem• Real-time detection of suspicious script behaviors is the only way to effectively
see and mitigate attacks
Summary