Hackers hide malicious code in images from e-commerce sites

In an innovative hacking campaign, hackers are hiding malicious code implants in image file metadata to secretly steal bank card information from visitors.

“We found stealth code within the metadata of an image file (a form of steganography), and surreptitiously uploaded by compromised online stores,” the Malwarebytes researchers said.

“This scheme would not be complete without another interesting variation to extract data from stolen credit cards. Once again, criminals used the disguise of an image file to collect their loot.

The evolutionary tactic of the operation, widely known as web skimming or Magecart attack, occurs when attackers find different ways to inject JavaScript code, including misconfigured AWS S3 data warehouse cubes and exploit content security policy to transmit data to a Google Analytics account under your control.

The use of steganography techniques generally works by inserting malicious code into a compromised website, which surreptitiously collects and sends user-entered data to a hacker’s server, giving you access to buyers’ payment information.

In this weeklong campaign, the cyber security company discovered that the skimmer was not only discovered in an online store running the WooCommerce WordPress plugin, but that it was contained in the EXIF ​​(Interchangeable Image File Format) metadata of a favicon for a suspicious domain (cddn.site).

Each image is embedded with information about the image itself, such as the manufacturer and model of the camera, date and time the photo was taken, location, resolution, and camera settings, among other details.

Using this EXIF ​​data, the hackers executed a JavaScript snippet that was hidden in the “Copyright” field of the favicon image.

“As with other skimmers, this one also captures the content of input fields where online shoppers enter their name, billing address, and credit card details,” the researchers said.

In addition to encoding the captured information using Base64 format and inverting the output string, the stolen data is transmitted in the form of an image file to hide the exfiltration process.

Claiming that the operation could be the work of Magecart Group 9, Malwarebytes said that the JavaScript code for the skimmer is obfuscated with the WiseLoop PHP JS Obfuscator library.

This is not the first time that Magecart groups have used images as attack vectors to compromise e-commerce websites. In May, it was observed that different hacked websites loaded a malicious favicon on their payment web pages and then replaced legitimate online payment forms with a fraudulent substitute that stole card data.

Abuse of DNS protocol to filter browser data
In a separate technique demonstrated by Jessie Li, she demonstrates that it is possible to steal data from the browser by taking advantage of dns-prefetch, a latency reduction method used to resolve DNS lookups in cross-origin domains before requesting resources.

Called “browsertunnel”, the open source software consists of a server that decodes the messages sent by the tool and a client-side JavaScript library to encode and transmit the messages.

The messages themselves are arbitrary strings encoded in a subdomain of the top domain that the browser is resolving. The tool then listens for DNS queries, collects the incoming messages, and decodes them to extract the relevant data.

In other words, browsertunnel can be used to accumulate confidential information as users perform specific actions on a web page and subsequently filter them to a server disguising it as DNS traffic.

“DNS traffic does not appear in browser debugging tools, is not blocked by a page’s Content Security Policy (CSP), and is often not inspected by firewalls or corporate proxies, making it an ideal medium for data smuggling in restricted scenarios, “said the researcher.

What are VPNs and what are they for?

Few people know what VPNs are. And yet, you don’t have to be a computer expert or a computer genius to get the most out of these useful tools.

A VPN is a virtual private network – from English: virtual private network – through which Internet users can access the internet. In general, when you connect to the internet, you do so by sending certain information from a device, which can be a mobile phone, a tablet, a computer, a smartTV… to servers where the landing pages are hosted. In less than a second, an information exchange occurs.

On the other hand, when you connect to the internet through a VPN, the connection is not made directly, but before establishing the connection, our data is sent, encrypted and filtered through another server: the virtual private network. A small modification occurs in the path so that the level of browsing security is much higher than that experienced on a public network.

Advantages of accessing the internet through a VPN

A VPN server can achieve that you can access the internet completely anonymously, something that is enhanced if you use some type of cryptocurrency, such as bitcoin or ethereum, in your transactions and purchases. Intimacy and privacy are very precious assets that are worth preserving. And in the internet age, even if we are not aware of it, we are constantly leaving information about ourselves. So the more jealous we are of our intimacy, the better.

Regardless of whether you want to surf anonymously, you can prevent your internet provider from accessing your data. Your internet provider has a complete record of your browsing history, although it is true that it is private and no one should be able to access that history. Using a VPN is a good way to make it difficult to track your browsing data: what pages you visited, what keywords you enter in search engines, what time you connect, what documents, photos or files you have seen and / or downloaded and a long list of information.

It provides a different IP address than the real one of your device, which provides different advantages.

Lets skip locks. There are certain countries that limit browsing and access to certain pages and applications. The paradigmatic case can be found in China, which, among other pages, prohibits access to Facebook. In the hypothetical case that you are in China, you could access Facebook using a VPN that assigns you an IP address from another country. As in the case of China, it is applicable to any country, place and website on which there is some kind of limitation.

Protection against possible threats. Public networks are a very insecure point and the vulnerability of those who connect to the internet through them is very high. A large number of hackers and hackers take advantage of this weakness to carry out their cyberattacks.

Remote access to your office to telework. VPNs allow access to work networks remotely, without the need for a physical connection. This is a very important advantage to take into account after what happened with the coronavirus health crisis, in which thousands of workers have been forced to work from home, something that, on the other hand, has long been demanded by a large number of workers. Teleworking is a labor modality more in line with the present and allows for better family reconciliation and more efficient time management, two fields in which we still have to evolve a lot as a society.

It allows access to content available in countries other than the one where you are actually located. Audiovisual content platforms such as HBO or Netflix do not have the same catalog for all the countries in which they operate. Each country has its own series and movies; some coincide in different countries and others do not. By using a VPN you can change the location of your device – IP address – and take advantage to access new content: if you connect from a computer located in Spain, through a VPN you can get your IP address to be located, for example, in the U.S. If you access a platform like Netflix in this way, you will have at your disposal the offer that Netflix has in the United States and not in Spain. This is ideal for watching series or movies that do not appear in your country’s catalog and you don’t even know when they will arrive.

There are a large number of VPNs at your disposal. You can take a look on this website and compare some of the options that will broaden your experience as an internet user.

Lastly, although there are similarities between them, it is necessary to point out that a proxy and a VPN are not the same thing. You can access here to get information about what a proxy is and how it differs from a private virtual network.

Anonymous vs. TikTok: you have to remove that Chinese spyware

A few hard days has had the TikTok application. The popular Chinese social network was blacklisted in India and was also accused of invading privacy on iOS. Now, the hacktivist group Anonymous published warlike slogans against him.

The message was posted by hackers on their Twitter account: “Delete TikTok now; If you know someone who is using it (the application), explain to them that it is essentially malware operated by the Chinese government, which is executing a massive spy operation. ”

As Forbes relates, “The account was linked to a story that has been circulating for the past few days, following a Reddit post by an engineer who claimed to have ‘reverse engineered’ TikTok to find a litany of security abuses and Privacy”.

In any case, as of the closing of this note, the veracity of these accusations had not been confirmed.

In late June 2020, an account allegedly attributed to hackers appeared on the Chinese app, which was sharply denied.

“Anonymous does not have a TikTok account,” the group of activists clarified through Twitter. It is “an application created as spyware by the Chinese government,” he said.

Since the social protest began in the United States over the murder of George Floyd, hackers have charged at the Minneapolis police, threatening to unleash more violence from that department against people in the protests.

The post Anonymous against TikTok: you have to remove that Chinese spyware appeared first on Digital Trends Spanish.

How hackers extorted more than $ 1 million from a US university investigating a cure for coronavirus

The hackers’ target was high: a major medical research institution working on a cure for covid-19.

Hackers manage to get the University of California, San Francisco (UCSF) $ 1.14 million after undercover negotiation.

An anonymous message determined to the BBC to follow the negotiations in a live chat found on the dark web.

This is how the millionaire and competitive cyber extortion business works and expands
Behind the attack, on June 1, was the criminal gang Netwalker.

Cybersecurity experts say these types of actions are controlled out across the world, sometimes for even larger sums, in contravention of the advice of security organizations like the FBI, Europol or the National Center for Cyber ​​Security at UK.

Netwalker has been linked to at least two other ransomware attacks, or data hijacking, against universities in the past two months.

At first glance, their dark web page looks like a standard customer service site, with a FAQ tab, a “free” trial offer of their software, and a chat.

5 things that can be achieved on dark internet networks
But there is also a countdown timer that comes at a time when hackers double the price of your ransom or remove data that they have encoded with malicious software (malware).

After logging in, UCSF received this message on June 5.

[Operator]: “Hello UCSF, don’t be shy, we can work together on the current incident.”

Six hours later, the university requested more time and details on how the hacked information would be removed from a Netwalker public blog.

[Operator]: “Done. Your details have been hidden from our blog. Now let’s start the discussion.”

Knowing that UCSF generates billions of dollars a year, hackers demanded $ 3 million.

But the UCSF representative, who may be an outside negotiation specialist, explained that the coronavirus pandemic has been “financially devastating” for the university and asked them to accept $ 780,000.

[Operator]: “How am I going to accept $ 780,000? It’s like I worked for nothing. You guys can raise the money in a couple of hours. Take it seriously. If we release our blog, information and student records, I’m 100% surely they will lose more than what we ask for. We can agree on an amount, but so, because I take that as an insult. ”

[Operator]: “Save that $ 780,000 to buy McDonald’s for your employees. It is very little for us.”

After a day of proposals and counterproposals, UCSF said it had raised all available money and could pay $ 1.02 million, but cybercriminals declined to drop below $ 1.5 million.

[Operator]: “I spoke to my boss. I sent him all the messages and he cannot understand it from a university like yours, from four to five billion a year. It is very difficult to understand and accept that they can raise US $ 1,020,895. But hey, I think your accountants / departments can raise $ 500,000 more. So we will accept $ 1.5 million and we will all sleep well. ”

Hours later, the university gave details of how it had obtained more money and a final offer of US $ 1,140,895.

[Operator]: “Okay. Now they can sleep well: D When can they pay?”

And the next day, 116.4 bitcoins were transferred to Netwalker’s electronic wallets, and UCSF received decryption software.

“This is like Cosa Nostra”: this is how the exclusive and clandestine club for mining bitcoins and other cryptocurrencies in Venezuela operates
Is there a guarantee?
UCSF is now assisting the FBI with its investigations as it works to restore all affected systems.

“Encrypted data is important to some of the academic work we do as a university serving the public good,” he told the BBC.

“Therefore, we made the difficult decision to pay a portion of the ransom, approximately $ 1.14 million, to the people behind the malware attack in exchange for a tool to unlock the encrypted data and return the information they obtained.” he indicated.

“It would be a mistake to assume that all the statements and statements made in the negotiations are objective.”

Recent Posts

Tags