One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8409194 |
| Date de publication | 2023-11-10 11:00:00 (vue: 2023-11-10 17:07:11) |
| Titre | Ne vérifiez pas!& # 8211;Activité d'écrémage de la carte de crédit observée Don\\'t check out! – Credit card skimming activity observed |
| Texte | Our friends at BlackBerry recently released an in-depth blog post on a campaign by threat actors targeting online payment businesses that discusses what happens from initial compromise to the skimmer scripts themselves. You can read their blog here. This blog is focused on what we found across the AT&T Cybersecurity customer base as we looked for the indicators of compromise (IOCs) identified in the BlackBerry blog and on the quick-follow up analysis we performed and provided to our customers.
As a part of the AT&T Managed Threat Detection and Response (MTDR) threat hunter team, we have the unique opportunity to perform threat hunting across our fleet of customers in a very fast and efficient manner. Leveraging the logs across hundreds of data sources, we can come up with our own hunt hypotheses and develop extremely complex searches to find potential prior incidents and compromises.
We can also work with the AT&T Alien Labs team to turn that search syntax into a correlation rule. The Alien Labs team uses this backend data that we gather to create thousands of rules and signatures within the USM Anywhere platform. Threat hunters can also search for specific known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) as we ingest and process cyber threat intelligence from both open sources (i.e., publicly available data) and closed sources (i.e., government or private data that is not publicly available).
When we looked for the TTPs that the attackers were using to deploy the credit card skimming scripts, our searches yielded no results, but when we searched for IOCs related to where the credit card data was exfiltrated during this campaign, we observed one domain come up across a few customers. Armed with key information such as time frames and which customers and users were impacted, we could now go deeper into USM Anywhere to investigate.
Figure 1 – Web request for credit card skimming exfiltration domain
Figure 1 shows that the request for the credit card skimming site referred from another website for a well-known food company with an online purchasing option. We observed this to be the case for all the other customers too, with the food site being either the direct referer or being the HTTP request right before the connection to the cdn[.]nightboxcdn[.]com site. One of the other observed impacted customers had a user’s credit information skimmed from a different compromised site (see Figure 2).
Figure 2 – Traffic going to shopping site (redacted) followed by traffic to the skim exfiltration and then a legitimate payment site
We can see that the user is on an online shopping site (redacted) followed by traffic to the exfiltration domain as well as to a legitimate payment portal service. We can conclude from the traffic flow that the user went to checkout and that after they input their payment details, this information went to both the exfiltration site and the legitimate payment service, ProPay.
By using the website scanning tool urlscan.io and by looking at a scan of the shopping site from May 23, 2023, we could see the skimming script appended to the jquery.hoverIntent.js file (legitimate script ends after });).
Figure 3 – Skimming script appended to legitimate script |
| Envoyé | Oui |
| Condensat | 2023 across activity actor actors added address advise after against alien all also analysis another anywhere appended armed at&t attack attacker attackers attacks available aware backend banks base basic before being blackberry blog both broad business businesses but campaign can card case cause cdn check checkout city closed code com come company complex compromise compromised compromises conclude connection constantly contact controls correlation could create credit critical customer customers cvv cyber cybersecurity data decode decoded deeper defense demonstrate deploy deploying depth details detection develop different direct directly discusses domain don down during education efficient either email employee employees end endpoint ends exfiltrated exfiltration expiration extracts extremely fast field figure file financial find first fleet flow focused follow followed food found frames friends from gather going good government had happening happens has have help here holder hoverintent http hundreds hunt hunter hunters hunting hypotheses identified impact impacted incidents includes indicators information ingest initial input intelligence investigate iocs its jquery key know known labs last learn legitimate leveraging like logs looked looking loss managed manner may monitoring month more most mtdr name need network new nightboxcdn not notified now number numbers observed once one online open opportunity option organizations other out own part parts payment perform performed phone platform portal portfolio post potential prior private procedures process programs propay protect provided publicly purchasing quick quickly read recently redacted referer referred related released reputational request response results right rule rules scan scanning script scripts search searched searches security see sent service services shopping shows signatures simplified simplify site skim skimmed skimmer skimming snippet sources specific state strategy such surface syntax tactics targeting team techniques themselves then these thousands threat time too tool tools traffic ttps turn uncovered unique urlscan user user’s users uses using usm values very web website well went what when where which will within work xmlhttprequest: year yielded you’d your zip |
| Tags | Tool Threat |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.