digital skimmers - amazon web services...• exploiting a vulnerability in the website’s...
TRANSCRIPT
Digital Skimmers How crooks are spying on your online shopping
by Rommel Joven
What is a digital skimmer
Agenda
• Overview
• Stealthworker Malware
• Kinds of Digital skimmers
• Underground Market
Overview
Online shoppers Compromised store
Underground market Fraudulent transactions
1 2
3
4
5
monetization
• Exploiting a vulnerability in the website’s e-commerce platform
• Compromising third party tool/script used by the target
• Cross site scripting
• Obtaining administrative account by phishing email or brute force attack(e.g Stealthworker malware)
Compromising a site
Stealthworker Malware
• First seen February 2019
• Written in Golang
• Runs on Windows, Linux, and ARM
• Brute force attacks on e-commerce platforms and services
• Identify the target’s e-commerce platform
Stealthworker
Open Directory Stealthworker
New Folder
main_init()
Earliest version: v1.50 Latest version: v3.11
Function Purpose
*_check_* used to identify and verify the service that the target is running
on (e.g. Stealthworker_WorkerMagento_check_init)
*_brut_* used to perform the brute force attack on the target
(e.g. Stealthworker_WorkerJoomla_brut_init)
*_finder_* used to find a specific service or file on the target
(e.g. Stealthworker_Worker_FileFinder_init)
Stealthworker Functions
Network communication
/project/active magentoBrt;
bot
C2 server
/gw?worker=magentoBrt
*send targets for brute force
/storage *open directory*
• MagentoBrt
Brute force Job
worker
job
Targeted services and platforms Brute force workers Check workers
Bitrix24 bitrixBrt bitrixChk
cPanel cp_b cpanelChecker/cp_chk
Drupal drupalBrt drupalChk
FTP ftp_b ftpChk
Basic Authentication htpasswdBrt htpasswdChk
Joomla joomlaBrt joomlaChk
Magento magentoBrt magentoChk
MySQL mysql_b X
OpenCart OCartBrt OCartChk
PhpMyAdmin phpadmin/php_b phpadminChecker/php_chk
Portainer pbrt X
PostgreSQL postgres_b X
Qnap qnapBrt qnapChk
SSH ssh_b X
Synology synoB X
WHM whm_b whmChecker/whm_chk
Wordpress wpBrt wpChk
WooCommerce X Woo
Brute force and check worker
Monitoring
/project/active magentoBrt;
Controlled bot
C2 server
/gw?worker=magentoBrt
*send targets for brute force
/storage/ *open directory*
• 200+ samples
• 45 C2s
• 98M+ jobs
• 38M+ unique targeted hosts
• 23 different versions
Summary of findings
Top workers
Kinds of Digital Skimmers
• Server-side skimmer
– Undetectable if you don’t have access to the server
– Written in php
• Client-side skimmer
– Injected malicious script in the website
– Written in JavaScript
Kinds of digital skimmers
• lib/Varien/Autoload.php
Server-side skimmer
source: Sucuri
Client-side skimmer
Client-side skimmer
Client-side skimmer
Client-side skimmer
Client-side skimmer
Underground Market
Underground Market
Underground Market
Underground Market
@gwillem
@ydklijnsma
@jeromesegura
@unmaskparasites
@jspchc
Special thanks to: