Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Latest Articles
MageCart Skims Credit Cards from FocusCamera.com

MageCart Skims Credit Cards from FocusCamera.com

0.AnchorImageCreditCardTheft.jpg

 

Late in December 2019, someone I know received a notification from their credit card company stating a transaction for a purchase of substantial value was pending. Not recognizing the transaction, the person immediately contacted the credit card company to put a stop to the transaction which had not yet settled. A few minutes later, the card was blocked and a new card was being mailed to the person's home address.

 

For most people, that’s how the story ends. But being in the cybersecurity industry, I wanted to find out more. Where and when was their credit card data stolen? Were they victim to one of the breaches that took place months ago in major retail stores or credit issuing banks?

 

I decided to start by tracing their steps back to where they shopped online recently. Most of it was usual but one stood out because they had only made a purchase at that store once in recent times: focuscamera.com. The site was a popular -- a legitimate brick-and-mortar business that had been around for a long time -- and not in the news about any breach.

 

To investigate if the site had been compromised, I knew I had to focus on the checkout page. That’s how the infamous Magecart group operates, by injecting a javascript code to submit all credit card details to a command and control server of their own as clients are checking out.

 

I started by adding an item to my shopping cart and proceeded to check out. At that point, a combination of Chrome’s developer tools and wireshark captures were the only tools I needed to identify any unusual connection that should not be happening.

 

FocusCameraCartPage.pngFocusCamera.com Checkout Page

Card details submitted to C&C site

 

Going through the network connections, it didn’t take long to realize that credit card data was being submitted to two different sites, as shown in the screenshots below.

 

This first one is the legitimate focuscamera.com payment card processing site:

2.CardDetailsSubmittedtoFocusCamera.pngCredit Card Details being submitted to FocusCamera.com

 

The second POST request is the fraudulent one, submitted to a domain named zdsassets.com. Note the similarity with a legitimate ZenDesk domain named zdassets.com (no "s" between the "d" and the "a").

3.FakeCardDetailsSubmittedToZDSassets.pngCredit Card Data Being Submitted to Exfiltration Domain

 

According to registration data provided by Domaintools.com, the domain zdsassets.com has been registered on November 11, 2019. As of this writing, it would mean the skimming operation under this domain has lasted less than two months. The domain is registered with Hosting Concepts B.V. d/b/a Openprovider, a hosting provider in the Netherlands. The site is hosted on a dedicated server at Vultr Holdings in New Jersey and the IP address 149.28.237.85 is provided by AS-Choopa (ASN AS20473).

4.DomainToolsZDSassets.pngRegistration of Exfiltration Domain

 

Victims

 

Based on some DNS telemetry we have access to, this C&C domain has been resolved 905 times since it was created, which may be an indication of the number of victims of this card skimming operation. It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns - At this time, we don’t have any telemetry to prove it one way or the other.

 

Farsignt-zdsassets.com.pngDNS Resolution Cache Misses to Exfiltration Domain

 

Site Compromise

It seems the threat actor has managed to access the source code of the web site and modify a javascript file to inject the malicious payload.

 

The main checkout script loads a javascript file as shown below:

 

6.checkoutScriptInjected.pngOriginal Script Call on checkout page

This particular script has been modified by the threat actor to append an obfuscated base64 encoded javascript routine as shown below:

 

7.Base64CardSkimming.pngBase64-encoded Skimming Code Appended to Existing Script

 

When base64 decoded, this script performs the malicious activity:

 

8.MaliciousPayload.pngDecoded Credit Card Skimming Script

 

The process above is for customers who check out as a guest. We have not tested the checkout process for previously registered users to see if their credit cards would also be skimmed.

 

This attack has all the hallmarks of a Magecart attack, going after the client side skimming of payment card data. This is not any particular hacker group, but rather a consortium of threat actors using similar methods to compromise third party libraries in a supply chain attack, or simply hacking into the target website to implant malicious code. Amongst the well known victims are British Airways, TicketMaster, NewEgg and more.

 

Responsible Disclosure

As soon as we realized focuscamera.com was breached, Juniper Threat Labs immediately reached out to the site owners via an online contact form as well as left voice-mails. Unfortunately, week-ends and a time zone difference caused a couple days of delay in response, but we managed to have a live conversation with the domain admins. We shared all the information we had at the time and held a follow up call later in the day to share additional discoveries, based on our analysis of the site. By the end of the day, the malicious code was removed from the site.

 

Conclusion

 

MageCart continues to pose significant risk to online shopping and is expected to be one of the top cyber security stories of 2020. It is possible for site owners to guard against this attack by ensuring the integrity of their site's source code. Indeed, attackers do need to tamper with the site's source code to inject the malicious skimmer javascript, either by exploiting a server's vulnerability or by compromising a third party library. In this particular example, it is clear that some javascript file from focuscamera.com was modified from its original deployed version to include the additional injected eval statement. Which simple file hash monitoring, this should trigger an alarm.

 

IOCs

 

Exfil Domain: www.zdsassets.com

Exfil IP: 149.28.237.85

 

Juniper Employee
Stalking Stalkerware: A Deep Dive Into FlexiSPY

Stalking Stalkerware: A Deep Dive Into FlexiSPY

In October, the FTC announced it had reached a settlement effectively shutting down Retina-X Studios, maker of MobileSpy, PhoneSheriff and TeenShield. According to the FTC:

Read more...

Juniper Employee
CVE-2019-3398: Atlassian Confluence Download Attachments Remote Code Execution

CVE-2019-3398: Atlassian Confluence Download Attachments Remote Code Execution

Atlassian Confluence is a collaboration tool that is used by organizations to create and share various documents related to marketing, design specifications, project planning, etc. It can be licensed both as a SaaS (Confluence Cloud), as well as an on-premise enterprise software (Confluence Server).

Read more...

Juniper Employee
Growing attacks using Accept-Charset exploit

Growing attacks using Accept-Charset exploit

Juniper Threat Labs is seeing a growing attack on Accept-Charset HTTP Header. This request header allows the client to indicate what character sets, i.e., ISO-8859-1 or utf-8,  are available for response. Attackers are trying to exploit this header by passing a base64-encoded PHP code. During the course of our investigation, we have identified the vulnerable software to be a tampered version of phpStudy. At some point in time, hackers were able to hack into phpStudy and tamper on 2016 and 2018 versions of the software to make it vulnerable to this specific exploit.

Read more...

Juniper Employee
How to defend against every day IOT threats

How to defend against every day IOT threats

Internet of Things has been around for years, but it has started to become more and more prevalant.  This ever growing footprint has made it a juicier target.  How are they attacking and how do we work to better defend our networks.

Read more...

JesseLands
Masad Stealer: Exfiltrating using Telegram

Masad Stealer: Exfiltrating using Telegram

Juniper Threat Labs discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a Command and Control (CnC) channel allows the malware some anonymity, as Telegram is a legitimate messaging application with 200 million monthly active users. The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.



Read more...

Juniper Employee
Top Kudoed Members
Latest Comments
threatresearch | 10-13-2019
Re: RCE Attacks Targeting Misconfigured Open PHP-FPM
By  vidyasp
threatresearch | 09-28-2018
Re: Kronos - The Banking Chronicle
threatresearch | 05-24-2018
Re: VPNFilter: a nation state campaign for surveillance and destruction
By  omarg