Hackers using Google Adwords & Google Sites to spread malware VisionDirect, one of Europe’s largest online optical retailer that deals with contact lenses and eye care related products has announced that a number of its domains have suffered a data breach in which hackers stole customers’ credit card and banking data.
The data breach, according to VisionDirect’s security advisory, took place between November 3rd and November 8th and customers who shopped or logged into the site during the aforementioned days are among the victims. However, customers who used PayPal for shopping during this period were unaffected.
See: Google Search Results Exploited to Distribute Zeus Panda Banking Trojan
The data stolen by hackers include full name, email address, password, billing address, phone numbers, payment card information along with card number, expiry date, and CVV.
Hackers used Fake Google Analytics code
The attack on VisionDirect appears to be quite sophisticated as hackers placed a malicious Javascript code to steal financial data once it was entered on the site – This type of attack is called MageCart attack and in this attack, hackers placed a malicious code impersonating Google Analytics.
That's exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analyticscom/libs/1.0.16/analytics.js – you can view a copy of the JS via the @urlscanio archive of https://t.co/TV22dxvCcK https://t.co/SFi5Wp4gm3 pic.twitter.com/rY13cMR2TL
— Bad Packets by Okta (@bad_packets) November 18, 2018
During the attack, hackers used a domain g-analyticscom that resembled the official website for Google Analytics and this is probably why the company seemed to be unaware of the presence of malicious script on their domains.
Previously, Newegg and Oneplus’s websites were also compromised through the MageCart attack. In both attacks, hackers were able to steal customers’ credit card data. Most recently, hackers used the same tactics in British Airways data breach in which financial data of 380,000 customers was stolen.
Bryan Becker, an application security researcher, WhiteHat Security, said that “Although we cannot confirm attribution, this attack has all the hallmarks of a ‘Magecart’ attack.”
“Some of the key indicators include the fact that the attacker inserted fake code onto the page (in the form of a fake Google analytics script); the fake code scraped customer details at checkout and sent them offsite to a hacker-controlled domain, and the attacker made use of a fake, but legitimate-sounding domain to send data to, in order to reduce suspicion,” Becker added.
How to protect yourself from MageCart attack?
Becker also shared some pro tips for website owners to protect themselves from MageCart attack according to which: “If you are worried about your site, MageReport can quickly scan it and let you know if it appears vulnerable.”
Then, the oldest advice still stands the most important. Train your employees regularly on security awareness and put in strong safeguards within the company. If your employees can recognize phishing attempts, then the hacker can’t even get past step one. It’s also important to scan internal codebases and external-facing code. If you think of running dynamic application security testing (DAST) scans on your external-facing website as protecting your customers, then think of scanning internal tools as protecting your employees.”
See: Hackers using Google Adwords & Google Sites to spread malware
“Also to note, part of Magecart’s attack was offloading the stolen data to a ‘fake’ website. The only way to catch this after the fact is to examine suspicious outgoing connections when browsing the website – which is as frustrating and error-prone as it sounds. Some IPS/IDS/secure web gateways are set to do this, some are not. Of course, the fool-proof (and probably simplest) way to protect against this is to configure strong Content Security Policy (CSP) Headers. This header controls exactly which domains are allowed to communicate with your website and what they are allowed to do,” Becker advised.
“With proper configuration, this header can stop all XSS in its tracks, even if the code itself is vulnerable, by directing the browser to reject all JavaScript that isn’t delivered from the pre-configured servers. Even if your site was infected with the Magecart code, the browser would refuse to send the stolen data to the imposter website, thus completely mitigating the attack. I don’t want to promise that CSP is a silver bullet, but it’s at least a bronze bullet,” Becker concluded.