Trend Shows Cybercriminals Are Turning to Formjacking

A newly released global cyberthreat trend shows that cybercriminals are turning to formjacking as a new get-rich-quick scheme.

In the recently released Internet Security Threat Report, Symantec reported that on average, more than 4,800 unique websites are compromised with formjacking every month. According to Symantec, formjacking has increased dramatically since mid-August 2018. By the end of 2018, Symantec said it detected 3.7 million formjacking attacks, with nearly a third of all detections occurring during November and December – the busiest online shopping period.

Symantec said that while any organization, regardless of size and location, which processes payments online is a potential victim of formjacking, small and medium-sized retailers are, by and large, the most widely compromised by formjacking attackers.

What Is Formjacking?

Formjacking is a type of cyberattack that injects malicious code into website forms. This malicious code allows attackers to steal credit card details and other personal and financial information that are entered into the compromised forms as information is automatically sent to attackers. Stolen information could be used by attackers to perform payment card fraud or attackers could sell these details to other cybercriminals.

According to Symantec, attackers need only 10 stolen credit cards from each of the more than 4,800 compromised websites each month to earn up to $2.2 million per month considering that the current value for each card is $45 in underground selling forums.

How Are Formjacking Attacks Carried Out?

In recent months, two methods of formjacking attacks were observed: supply chain attack and redirection chain.

Supply Chain Attack

One of the ways by which formjacking attackers gain access to a website and change the code on its checkout page is through supply chain attack. In a supply chain attack, attackers gain access to a large organization’s website and change the code on its checkout page by exploiting the security vulnerabilities in a smaller business used by the larger company to provide different services.

The Ticketmaster formjacking case is an example of a formjacking attack carried out by means of a supply chain attack. In the Ticketmaster case, attackers injected malicious code into Ticketmaster’s checkout pages after compromising a chatbot used by Ticketmaster for customer support. This malicious code enabled the Ticketmaster attackers to capture payment card data and other information from customers and send them to their servers.

The chatbot used by Ticketmaster for customer support was hosted by Inbenta, an external third-party supplier to Ticketmaster. Inbenta chief executive Jordi Torras toldZDNetthat attackers exploited a number of vulnerabilities of Inbenta’s servers and in the process altered the chatbot code.

"It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements," Jordi Torras said. "The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat."

The Ticketmaster formjacking case, therefore, wasn’t directly an attack against Ticketmaster but an attack on a third-party supplier Inbenta. It’s worthy to note that supply chain attack was also used in the NotPetya attack in 2017 in which MEDoc, a tax and accounting software package, was used for the initial insertion of NotPetya malware into corporate networks.

Supply chain attacks show that cybersecurity hygiene shouldn’t only be implemented within an organization’s internal IT systems but also for third-party software and applications.

Redirection Chain

Redirection chain as a means of carrying out a formjacking attack is a new technique used by attackers in late 2018. In a redirection chain attack, a user that uses a checkout page of an online retailer is redirected to the checkout page of another online retailer which is injected with formjacking code. When this user enters payment information, the information is sent both to the retailer as well as to the attackers. 

In December 2018, Symantecreported that it detected a checkout page of a retail store in Paris which was injected with a formjacking code. The injected formjacking code, Symantec said, collects the payment information entered by customers and posts it to the domain google-analyitics.org.

Symantec observed that popular online retailers’ checkout pages from different countries, such as the U.S., Japan, Australia, and Germany redirected to this one Paris checkout page. “This created an interesting redirection chain as customers of all these websites were being infected by formjacking at the same time,” Symantec said.

Symantec added that to make matters worse, the formjacking code in the above-mentioned redirection chain attack comes with Firebug, a debugging tool that prevents security researchers from analyzing the malicious code.

Prevention

Formjacking attacks are becoming sophisticated and stealthy as shown in the above-mentioned examples. Users of compromised checkout pages may not realize they’re victims of formjacking as compromised checkout pages generally continue to operate as normal.

Here are some cybersecurity measures in order to prevent formjacking attacks:

• Test new updates of third-party software in small test environments in order to detect any malicious code.
• Monitor all system activities to block malicious application before any damage can be done.
• Use Subresource Integrity (SRI), a security feature that enables browsers to verify that resources they retrieve are delivered without unexpected manipulation.

Don’t have cybersecurity resources or dedicated CISO? Contact us today to mitigate IT risks, fast.

Why Small Businesses are at Risk of Cyberattacks

Launching a small business is hard work. It takes months of planning, research, marketing and strategizing. It demands commitment, sweat, possibly even tears.

But once you have that enterprise up and running, the realization that you’ve carved your own niche in a highly-competitive marketplace makes it all worth it.

Imagine you’ve gone through this process. Imagine you’ve invested all your energy, resources and money into building a small business. Imagine you’re feeling confident in your brand and excited for what the future holds.

Now, imagine how devastated you’d feel if your company was attacked by a cybercriminal.

Sadly, it’s a common occurrence — and expensive. Research shows 43 percent of cyberattacks target small businessesand data hacks can cost in excess of $250,000in extreme cases.

A large-scale cyberattack can leave your small business facing real financial difficulties, expose your valuable data and prompt your clients to wonder how safe their information is in your hands.

Needless to say, this chain reaction can have a crushing impact on your small business. It could cause extensive disruptions to your workflow, triggering delays and adding friction to your client relationships.

So, why do hackers target small businesses? And what can you do to help safeguard your growing enterprise from their attacks?

A Complacent Approach to Cybersecurity

One reason hackers tend to target small businesses is complacency.

Not every emerging company falls into this camp, of course — some do take a strict approach to securing their network. However, it’s not uncommon to find small-business owners believing themselves to be ‘too small’ for hackers to target.

This mindset can be dangerous. It’s the very thing hackers will bank on to gain access to your system.

A Lack of Investment

Another issue is the lack of funds to finance high-quality cybersecurity solutions — and that’s understandable. After all, you have so much to cover already. Salaries. Rent. Equipment. The list goes on and on.

But cybersecurity must be a priority for your small business. Never underestimate hackers’ ruthlessness: a company without the money to pay for effective safeguards or a real grasp of how vulnerable they are is an ideal target. Criminals see an ill-informed, ill-prepared enterprise as low-hanging fruit.

Don’t make their ‘work’ easier. Don’t give them any obvious vulnerabilities to exploit.

Small Businesses are More Likely to Pay Ransoms

Ransomware has been a growing threat to companies of all sizes in the past year or so. Hackers essentially lock businesses out of their own systems (or, at least, parts of it) and demand money in exchange for their freedom.

Businesses don’t have to pay up to get full access again, as experts can help. However, small companies who may be a little less educated on the topic will believe handing the money over is the only way out of the situation.

They could also feel as if being unable to continue on track will put them out of business.

Untrained Staff Fall Prey to Phishing Scams

Hackers see small businesses as ripe targets as their staff may not be aware of common malware attacks and phishing scams. They may not recognize the warning signs of, say, infected email attachments or dangerous links.

This can open the door to data breaches, ransomware and more. Any employees responsible would no doubt feel incredibly guilty as their colleagues and clients face the consequences of their mistake.

But it’s not just their fault: it’s down to small businesses to make sure proper education and training is in place to maximize workers’ knowledge, boost vigilance and minimize threat levels.

How can Small Businesses Protect Themselves Against Cyberattacks?

As a small-business owner, there are multiple steps you can take to protect your company, your employees and your clients from possible cybersecurity risks.

Implement a strict password strategy

We all have numerous passwords for online accounts. Maybe you have one or two for your banking. Perhaps a few more for streaming services (Netflix, Hulu etc.). You’ll probably have others for social networks too (Facebook, Twitter, Instagram, WhatsApp to name just a few).

It’s hard to keep track of these. That’s why so many of us use the same single password for every account — and that’s dangerous. Because if a hacker cracks it, they’ll have access to everything else too.

You can’t afford to make the same mistake with your business’s security. Make sure your team members understand just how important unique passwords are for the tools they use on a daily basis. They should create passwords including a mix of lowercase and uppercase characters, numbers and symbols.

This takes more time and can feel like a hassle, but it’s well worth it for added peace of mind. Make sure to change passwords once or twice a month, if not more often.

Invest in expert training

Consider bringing a cybersecurity expert into your business to train your employees on effective steps they can take to minimize their risk of exposing data to criminals.

This can make a big difference and empower workers with the confidence to remain vigilant at all times. If every member of the team knows how to identify a potential threat and take action to avoid it, your small business will be much safer against cyberattacks.

Be careful with authorizations

Sadly, cyberattacks may not originate from outside your business — they could be the work of an employee.

This may be an individual with a grudge or simply someone who’s incompetent. Whatever the reason, internal threats can be prevented by reviewing your authorization strategy.

Take care to only grant your most trustworthy, reliable employees access to sensitive data. Monitor your team’s activities and update your cybersecurity measures on a regular basis.

Every small business must take cyberattacks seriously. Never assume you’re not at risk just because there are so many bigger targets to aim for — this complacency and lack of preparation could be a hacker’s way in.

Trust our experts to provide all the help you need with your small business’s cybersecurity.

Contact us todayto discuss your options with a member of our team and subscribe to our newsletter for the latest essential updates.

Can Your Organization Survive a Cyberattack that Permanently Destroys Data?

Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.

The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.

The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”

By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.

The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."

This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.

True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.

It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever. 

Other Cases of Disruptive Cyberattacks

WannaCry and NotPetya

WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.

Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.

While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t. 

Shamoon

Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.

According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.

Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”

Prevention

Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:

Keep All Software Up-to-Date

Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.

Back-up Important Data

Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.

Practice Network Segmentation

It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.

Why Nonprofits Are Easy Targets for Phishing Attacks

Cybersecurity was once low on the list of priorities of nonprofit organizations. Times are, however, changing. In recent years, nonprofit organizations have become an easy target for phishing attacks.

In a 2018 study that was drawn from a data set of more than 6 million users, KnowBe4found that nonprofit organizations have the highest percentage of “phish-prone” employees in large organizations (1,000 or more employees) category. The phish-prone percentage is determined by KnowBe4 by the number of employees that open a malicious attachment or click a malicious link in a simulated phishing email.

What Is Phishing Attack?

Phishing attack is a type of cyberattack that uses a fraudulent email as a weapon. An email used for a phishing attack appears to come from a reputable source. This email, however, is a fraudulent one.

A phishing email comes with a malicious attachment or malicious link. When the malicious attachment in a phishing email is downloaded, it installs a malicious software (malware) into the email receiver’s computer. In case the malicious link in a phishing email is clicked, this leads the email receiver to a fake website coaxing the receiver to reveal confidential information or this scam site could be used to download malware into the victim’s computer.

Why Nonprofit Organizations Are Targeted?

Nonprofit organizations are repositories of critical data, including benefactors’ names, addresses and credit card details, as well as critical data of clients and proprietary information as in the case of nonprofit research organizations.

Aside from donations from individuals, nonprofits are entrusted by governments with significant financial and social responsibilities. In some local governments, some of the top contractors are nonprofits with contracts worth millions.

Holding said critical information and funds make nonprofit organizations attractive to cybercriminals.

While nonprofit organizations face the same security risks as for-profit organizations, nonprofits generally lag behind for-profit organizations in terms of implementing policies and practices necessary in securing their IT systems. Cybercriminals have come to realize that nonprofits lack the resources in implementing cybersecurity best practices, making them easy targets for phishing attacks. 

How Phishing Attacks Impact Nonprofits?

Here are two ways by which phishing attacks impact nonprofit organizations:

1. Ransomware Attacks

Ransomware is a type of malware that denies victims access to their computer files until a ransom is paid. Ransomware is often spread through phishing emails.

In March 2016, four computers at the Ottawa Hospital, a nonprofit, public university teaching hospital, were infected with the ransomware called “WinPlock”. Kate Eggins, the institution’s director of media relations, told IT World Canadathat four staff at the institution each clicked a phishing email which resulted in the installation of the WinPlock ransomware.

According to Microsoft, WinPlock ransomware encrypts files, denying users access to their files. After encrypting the computer files, this ransomware displays a ransom note that asks for one Bitcoin as ransom payment.

2. Business Email Compromise (BEC) Attacks

Business Email Compromise (BEC), also known as CEO fraud, is a form of a phishing attack where an attacker impersonates an executive of an organization, oftentimes the CEO, thus the name CEO fraud, and attempts to trick an employee authorized to make payments into paying a fake invoice or making an unauthorized money transfer from the organization’s bank account to the fraudster’s bank account.

Nonprofit organization Save the Childrenin its 2017 tax report revealed that in April 2017, an unknown cyber attacker or attackers impersonating as an employee of the institution tricked the institution into transferring money worth $997,400 to a fraudulent organization in Japan on the belief that the money would be used to purchase solar panels for health centers in Pakistan.

Save the Children said that by the time the scam was found out in May 2017, the transferred funds could no longer be recovered. Save the Children told the Boston Globethat the attackers deceived the institution into transferring nearly $1 million to a fraudulent organization in Japan by breaking into an email account of an employee of the institution and by creating false invoices and other documents.

The U.S. Federal Bureau of Investigation (FBI)reported that between the period of October 2013 to May 2016, BEC attackers pocketed nearly USD $3.1 billion from 22,143 victims worldwide. The FBI said that in addition to compromising legitimate emails, attackers carry out BEC attacks by using spoofed emails – those that closely mimic legitimate emails, for instance, using the spoofed email abc-company.com based on a 

legitimate email of abc_company.com.

How Can Non-profits Prevent Phishing Attacks?

Here are some cybersecurity measures in order to protect your organization from phishing attacks:

• Use email authentication technology that prevents phishing emails from reaching your organization’s inboxes.

• Create intrusion detection system rules that flag emails with extensions that are similar to your organization’s email.

• Never allow non-IT staff to install software on their work computers to prevent accidental installation of malware, such as ransomware.

• Scrutinize all emails requesting for money transfer or requests for confidential information to determine if the requests are legitimate. If you’re unsure whether an email request is legitimate, verify it by talking to the email sender via phone or in person.

And Finally, Alert Your Staff About Phishing Attacks

Phishing scammers are constantly changing their tactics. During your organization’s regular cybersecurity training, include tips on how to spot the latest phishing schemes.

For instance, one typical characteristic of a phishing email is it gives an urgent vibe, pressuring the email receiver via the email subject to act now or something negative will happen.

When you need help with raising awareness and protecting your digital assets, speak with one of our cybersecurity and IT risk experts. Contact ustoday and subscribe to the newsletterto receive cybersecurity tips and important alerts.

Largest DDoS Attack by Packet Volume Unleashed

Cybersecurity software company Imperva recently uncovered the largest distributed denial-of-service (DDoS) attack by packet volume.

According to Imperva, in early January, this year, the company’s DDoS protection service mitigated a DDoS attack against one of its clients which unleashed more than 500 million packets per second. This DDoS attack unleashed the most packets per second ever recorded.

What Is Packets Per Second (PPS)?

Packets per second (PPS) measures the forwarding rate – referring to the number of network packets that can be processed by networking equipment such as a router. Forwarding rate is often confused with throughput rate, also known as bandwidth.

Throughput rate refers to the amount of data that can travel through your internet connection. While forwarding rate is measured by PPS, throughput rate is measured by bits per second (bps) or Gigabits per second (Gbps).

In layman’s terms, throughput rate can be likened to the weight capacity of an elevator, while the forwarding rate can be likened to the maximum number of people permitted inside the elevator. Similar to humans, network packets come in different sizes and shapes. Similar to the difficulty of knowing how many people will fit into an elevator due to the differences in sizes and shapes, there are no real means of knowing how many network packets make a gigabit.

Protocol DDoS Attacks versus Volumetric DDoS Attacks

For years, DDoS protection service providers and clients have focused on throughput attacks, also known as volumetric DDoS attacks or bandwidth-intensive attacks. Forwarding attacks, also known as protocol DDoS attacks or PPS attacks, meanwhile, are given less attention.

Protocol DDoS Attacks 

Protocol DDoS attack is a type of attack that goes after server resources directly. This type of attack is measured by packets per second (PPS). If the packets-per-second rate is large enough, the server will crash.

One of the ways by which attackers crash servers in a protocol DDoS attack is through syn flood. In a syn flood DDoS, an attacker exploits part of the normal TCP three-way handshake, consuming resources on the targeted server and rendering it unresponsive.

TCP, which stands for transmission control protocol, refers to the protocol which defines how computers send packets of data to each other. The attacker in syn flood DDoS sends TCP connection requests faster than the targeted computer can process them, causing network saturation.

According to Imperva, the syn flood DDoS that the company’s DDoS protection service mitigated in early January, this year was “augmented by a large syn flood (packets of 800-900 bytes)”. Imperva added, “The source ports and addresses of the traffic sent to our customer’s server were highly randomized and probably spoofed.”

Volumetric DDoS Attacks

In a volumetric DDoS attack, an attacker sends voluminous traffic to a site to overwhelm its bandwidth. The DDoS attacks proliferated by Mirai are examples of volumetric DDoS attacks.

Mirai is a malicious software (malware) that infects computers, in particular, internet of things (IoT) devices such as routers, using factory default login and password combinations. The first version of Mirai infected hundreds of thousands of IoT devices using factory default login and password combinations.

Once infected with Mirai malware, these compromised IoT devices are then turned into a botnet – an army of infected IoT devices controlled by an attacker or attackers to conduct malicious activities such as DDoS attacks. The creator of Mirai made the source code of this malware publicly available, enabling others to use this malware for their own means.

According to the UK National Crime Agency (NCA), Daniel Kaye from Egham, Surrey operated his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out DDoS attacks on Lonestar, the largest Liberian internet provider. The NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia in November 2016. A UK court recently sentenced Kay to 2 years and 8 months for this cybercrime.

Another way by which attackers launch volumetric DDoS attack is through memcached – a database caching system for speeding up websites and networks. Memcached isn’t supposed to be exposed to the public internet. Arbor Networks, however, reported on February 27, 2018 that many memcached had been deployed worldwide with no authentication protection, leaving them vulnerable for attackers to exploit.

On February 28, 2018, popular code repository GitHubreported that its site was unavailable for few minutes as a result of a memcached-based DDoS attack which peaked at 1.35Tbps via 126.9 million packets per second.

Memcached attack works by sending spoofed requests to vulnerable servers. These vulnerable servers then respond with a larger amount of data than the spoofed requests, magnifying the volume of traffic.

Unlike Mirai which needs to infect vulnerable devices, DDoS attacks using the memcached approach only need to spoof the IP address of their victim and send small queries to multiple memcached servers. According to Akamai, memcached can have an amplification factor of over 500,000, which means that a 203 byte request results in a 100 megabyte response.

How to Prevent DDoS Attacks

While PPS and bandwidth-intensive DDoS attacks are both highly destructive or damaging to victims, in terms of mitigation, these two differ.

In the case of the GitHub DDoS attack, while it was considered as the largest DDoS attack ever at the time, which peaked at 1.35Tbps; the unleashed packets per second, meanwhile, was only 126.9 million – 4 times lesser than the volume of packets in the recent DDoS attack uncovered by Imperva.

"For a DDoS protection or mitigation service, mitigating a high PPS attack can be its Achilles heel, while a bandwidth-intensive attack can be much easier to handle, even with hundreds of gigabits per second, if it is composed of a smaller number of large-sized packets,” Imperva said.

The Driz Group is Imperva’s partner and can help your organization to mitigate DDoS attacks in a matter of minutes. Contact ustoday and protect your infrastructure and sensitive information.