The US Department of Justice (DOJ) has released information about the arrest of Anatoly Legkodymov, the founder and majority owner of a cryptocurrency exchange called Bitzlato, on money laundering charges. Legkodymov, a Russian national who lives in China, is accused of processing over $700 million of illicit funds.

The US Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) also issued an order that identifies Bitzlato as a “primary money laundering concern” in connection with Russian illicit finance.

The exchange is thought to have fueled crypto-related crimes like ransomware by helping cybercriminals launder illegally obtained money.

As stated by Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division:

As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking.

Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra, a Russian language dark web marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services.

What made Bitzlato popular among criminals was the fact that it marketed itself as requiring minimal identification from its users. Where other exchanges require users to submit selfies and official IDs, Bitzlato said this was not required, and allowed  “straw man” registrants. According to the DOJ these deficient know-your-customer (KYC) procedures, allegedly made Bitzlato a haven for criminal proceeds and funds intended for use in criminal activity.

Bitcoin—the most popular cryptocoin used in cybercrime—is pseudonymous, meaning that transactions between entities are public and easy to trace, but the identity of the entities is hidden behind numeric addresses. If law enforcement can identify the owner of a bitcoin address they can see the transactions that person has made. As a result, some countries insist that exchanges take identifying information from customers when they open an account so that their transactions can be attributed to a real identity easily.

The lax procedures at Bitzlato would have given its users piece of mind that any illicit transactions can’t be traced back to them, since they were able to use stolen identities to register their accounts.

To reassure its users, Bitzlato issued a statement saying it suffered a minor hack:

Our service was hacked, part of the funds was withdrawn from the service. 

We ask you DO NOT REPLENISH our service during the proceedings! 

Withdrawals will also be suspended indefinitely.

Sincerely,
The Bitzlato Team.

It later added:

We want to inform you that the funds are completely safe. 

The attackers were able to withdraw a small part of the funds, but for all victims, we guarantee a refund! 

As a security measure, we have disabled the service, we ask you not to replenish the wallets of our service until the work is restored.

The Bitzlato website was replaced by a notice saying that the service had been seized by French authorities as part of a coordinated international law enforcement action.

Whie Bitzlato is far from a leading name in cryptocurrency exchanges, according to Chainanalysis, Bitzlato is one of the major cryptocurrency businesses with a presence in Moscow City that have facilitated the most money laundering.

FinCEN  said:

Bitzlato plays a critical role in laundering Convertible Virtual Currency (CVC) by facilitating illicit transactions for ransomware actors operating in Russia, including Conti, a Ransomware-as-a-Service group that has links to the Government of Russia.

While the crypto-exchange claimed not to allow users from the United States to register accounts, prosecutors said Bitzlato knowingly serviced US customers and conducted transactions with US-based exchanges using US online infrastructure. For at least some period of time, it was being managed by the defendant while he was in the United States.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Card fraud, a staple diet of scammers online, is currently featuring heavily on the US Department of Justice portal. The reason? A story which has rumbled on for a few years finally seems to be pulling into its final destination, as a man admits his role in a slice of fraud which impacted thousands of people across the US.

A timeline of credit card fraud

Back in 2019, three people alleged to be part of a “nationwide stolen credit card ring” were arrested in January of that same year. The gang was said to have racked up $3 million in unauthorised purchases, being charged with conspiracy to commit bank fraud and aggravated identity theft.

The location the arrest took place in was filled with credit cards. Said cards were alleged to have been bought online via the dark web and elsewhere. A network of women was put together via social media, with those individuals collecting bought goods from different cities and receiving a cut of the profits once those items were sold on. Some individuals involved had been flagged in the past for various crimes, many of which involved credit cards with one related to “700 stolen accounts”.

The case went silent in the news until 2020, when Hamilton Eromosele, 29, pleaded guilty to one count of conspiracy to commit bank fraud. He was sentenced to 110 months in prison.

We now have some new crime related numbers to report, and it doesn’t look great for at least one of the other individuals involved.

Big fraud, big losses

Trevor Osagie, 31, has now pleaded guilty with regard to charges of conspiracy, which ended up with the conspirators making more than $1.5 million in fraud-laden purchases via a tally of over 4,000 stolen credit card accounts.

Over a period of at least four years from 2015 up until November 2018, the crime network purchased everything from gift cards and hotel stays to rental cards and other goods and services. Despite being based primarily in the New York / New Jersey area, the crimes committed took place all over the US.

We have the why, but not the how

The Indictment adds some additional context to the overall picture, though there is currently no deep dive into the group’s many activities. In fact, there’s only one example listed of how the group made use of aliases to email the card numbers to one another. 

There’s also no word (yet) as to how people were recruited on social media to visit the different cities. Were these roles offered in public under the guise of being something legitimate? Did these opportunities come by private direct messaging? At this point, we simply don’t know.

In total, nine people are listed as having some level of involvement with the wide ranging fraud operation. Two financial organisations in particular incurred significant losses.

From doing crime to doing time

As Bleeping Computer notes, Osagie is now facing up to 30 years in prison. There’s also a potential maximum fine of up to $1 million, which definitely has the potential to put the brakes on some criminal activity.

We’ll hear the sentence decision in a few month’s time, and then perhaps the full story of how this one played out, along with how the group was caught in the first place, will finally be revealed.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A threat actor successfully used compromised employee credentials to gain access to 133 accounts on Mailchimp, the mainstream Intuit-owned email marketing platform, in a security incident that recently came to light.

“On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration,” said Mailchimp in a blog post. “The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.”

The blog further asserts the company’s compromise had not affected other Intuit systems or other Mailchimp customer data.

It is noted that very little detail is shared about the attack, such as the specific social engineering tactic used against Intuit’s employees, who might be responsible for the attack, or how long the intruder was in the company’s systems.

According to TechCrunch, who first reported the incident, Mailchimp detected the intruder while accessing one of the tools used by its customer support and account administration. Upon discovery of the targeted attack, it suspended the affected accounts temporarily and reached out to their owners regarding the breach.

“That afternoon, we sent another email to affected accounts with steps to help users reinstate access to their Mailchimp accounts safely. Since then, we’ve been working with our users directly to help them reinstate their accounts, answer questions, and provide any additional support they need.”

One of the 133 accounts affected belonged to WooCommerce, an immensely popular e-commerce plugin for WordPress with more than five million customers. TechCrunch said customer names, web store addresses, and customer email addresses might have been exposed in the compromise.

This latest incident with Mailchimp definitely calls back to the April 2022 breach when threat actors were able to breach 319 of its client accounts, mostly belonging to companies in the cryptocurrency and finance industries. Cryptocurrency wallet company Trezor had taken to Twitter to let followers know some of its services were also affected by the Mailchimp compromise.

Trezor said then, “Mailchimp have confirmed that their service has been compromised by an insider targeting crypto companies. We have managed to take the phishing domain offline.”

Since this attack, Mailchimp said it had implemented “an additional set of enhanced security measures”, but TechCrunch noted the company wasn’t specific about these measures.

“We know that incidents like this can cause uncertainty, and we’re deeply sorry for any frustration,” Mailchimp said. “We are continuing our investigation and will be providing impacted account holders with timely and accurate information throughout the process.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Several experts have warned LastPass users who store cryptocurrency-related login information in their vaults to change that login information as soon as they can.

Apparently, cybercriminals who have access to the stolen information are making it a priority to decrypt the data in an attempt to access to cryptowallets and online accounts.

The breach

According to LastPass, an unknown attacker accessed a cloud-based storage environment using information obtained in LastPass’ August 2022 breach. Some of the stolen source code and technical information were used to target another LastPass employee, allowing the attacker to obtain credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

Unencrypted data

As we mentioned in an earlier post about the LastPass breach, part of the stolen data was not encrypted. The unencrypted data included URLs, which could act as a pointer for the attacker to figure out which accounts deserve their attention. For example, if someone has stored their login credentials to Blockchain.com or any other crypto services platform in LastPass, the threat actor will be able to see the URL to that platform and then can choose to prioritize the attempts to decrypt that information.

Decrypt

At this point it is unclear whether the attacker tries to decrypt the master password of these interesting accounts, or the crypto-related login credentials, but it is likely they will try both. And because they have stolen copies of the vaults, they have an unlimited amount of time to keep trying.

Secret keys

If your secret keys were in the stolen data, simply changing your passwords will not be enough. With a secret key you can prove ownership of a blockchain address, which means you can change all the other information associated with that address. The password, the recovery email, etc—everything a threat actor needs to drain the account.

This is why the tweet by Responders.nu (a Dutch Incident Response cybersecurity firm) says that you will have to move your funds to a different account.

Changing your LastPass master password and enabling 2FA is good, but it does not help in a case where attackers have a copy of your vault, because they can access the copy at all times. Once they crack your master password, they will be able to see everything you stored in that vault in plaintext, and they’ll have plenty of time to use brute force attacks to decrypt the encrypted data.

We realize that opening new accounts and transferring funds to them is time-consuming and costly, but it is certainly better than waking up to a drained account.

Class action

A “John Doe” class-action lawsuit has been filed against LastPass following the August 2022 data breach. The class action was filed with the United States district court of Massachusetts on January 3 by an unnamed plaintiff (John Doe) and on behalf of others similarly situated. Allegedly the data breach of LastPass has resulted in the theft of around $53,000 worth of Bitcoin.

We have reached out to LastPass, but it has not returned our request for comment. We will keep you posted about any developments here.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In a sponsored security source code audit, security experts from X41 D-SEC GmbH (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found two notable critical flaws in Git’s code. A vulnerability on Git could generally compromise source code repositories and developer systems, but “wormable” ones could result in large-scale breaches, according to the high-level audit report. Microsoft defines a flaw as “wormable” if it doesn’t rely on human interaction, instead it allows malware to spread from one vulnerable system to another.

The two critical flaws, tracked as CVE-2022-23521 and CVE-2022-41903, could allow threat actors to potentially run malware after taking advantage of overflow weaknesses in a system’s memory.

A total of eight vulnerabilities were found in Git’s code. On top of the critical ones we mentioned, the experts also found one rated medium, one high, and four rated low severity. 27 other issues found don’t have a direct security impact.

A copy of the full audit report from X41 and GitLab can be found here.

Recommendation and workaround

The easiest way to protect against exploits of these critical vulnerabilities is to upgrade to the latest Git release, which is version 2.39.1, as well as update your GitLab instance to one of these versions: 15.7.5, 15.6.6, and 15.5.9. 

• How to update GitLab
• How to update GitLab Runner

Version 2.39.1 of Git for Windows also addresses the flaw tracked as CVE-2022-41953.

The researchers recommend those using Git continue to use safe wrappers and develop strategies to mitigate common memory safety issues. They also discouraged storing length values to signed integer typed variables.

“Introducing generic hardenings such as sanity checks on data input length, and the use of safe wrappers can improve the security of the software in the short term. The usage of signed integer typed variables to store length values should be banned. Additionally, the software could benefit from compiler level checks regarding the use of integer and long variable types for length and size values. Enabling the related compiler warnings during the build process can help identify the issues early in the development process.”

Per BleepingComputer, users who cannot upgrade to address CVE-2022-41903 may want to apply this workaround instead:

• Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
• If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the ‘git config –global daemon.uploadArch false’ command

CVE-2022-23521: Truncated Allocation Leading to Out-of-bounds (OOB) Write

An OOB Write occurs when software writes data at the beginning or end of a buffer, resulting to data corruption, a system crash, or code execution. OOB Write is a flaw classed as a heap-based buffer overflow.

This flaw triggers when Git parses a crafted .gitattributes file that may be part of a commit history, causing multiple integer overflows (also known as wraparounds). This means the program is trying to store a huge value or number more than an integer type can store.

If this happens, OOB reads and writes can occur, which could then lead to remote code execution.

CVE-2022-41903: OOB Write in Log Formatting

This flaw is found in Git’s commit-formatting mechanism, which displays arbitrary information on commits. When Git processes a padding operator, an integer overflow can occur. OOB reads and writes can occur out of the overflow, leading to remote code execution if exploited.

A detailed, technical dive into these vulnerabilities are in the full audit report.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There’s a big push in rogue advert land at the moment, with multiple forms of bogus websites being used as bait to rob people of their logins and funds.

This story first came to light a few days ago, with news of a well known cryptocurrency fan “NFT God” being caught out by a bogus video recording tool.

NFT God lost pretty much all of his digitally accrued wealth after the malicious executable grabbed his logins and switched out his digital wallet details. He arrived at this fake video editing tool thanks to a rogue sponsored ad sitting at the top of his Google search results.

Once the file was installed, it set about sending all pertinent login details back to base and the damage was done. The fallout continued as various logins were compromised and phishing attempts were sent to his 16,000 or so Substack followers.

Rogue ads: following a trend

Following up on this prominent tale of hijacking in cryptocurrency circles, Bleeping Computer did some investigation of its own and found a lot more bad ads vying for attention in Google. It’s not just imitation OBS files you have to watch out for. USB booting tools, PC maintenance tools, multiple unnamed programs, and a malicious Notepad++ found by security researcher Will Dormann are just a few of the highlights on display. In fact, several other researchers found their own bad ad equivalents too with one able to put together a list of no fewer than 70 rogue advert domains.

The sites being used for these scams are typically typo squatting. This is where URLs which are similar, but not identical, to the real thing are used as the launchpad for the malicious downloads. These sites tend to rip pieces off the real site, if not the entire domain, to look as convincing as possible. A related tactic is to make a lot of the clickable URLs on the fake portal point to the real thing, with the sole exception being the bogus download. Whatever it takes to appear as convincing as possible.

When the fake sites are out, but not down

Google told Bleeping Computer that the sites in question have since been removed from its ad program. This doesn’t necessarily mean that the sites have been taken offline, and they may well still be out there waiting to strike somewhere else. They could easily be sitting in regular results in another search engine, or be placed into a non-Google related search engine ad program.

This also doesn’t mean all rogue sites have been removed from the search results listings, and caution should always be exercised where ads are concerned.

How do you avoid bad ads?

It wasn’t so long ago that the FBI warned of rogue adverts popping up in search engine results. That warning also included a reference to blocking ads, which some folks may not have expected to see in an FBI release.

The advice for steering clear of rogue adverts likely includes some best practices you’re already aware of and make use of. In an ideal world we wouldn’t have to worry about such things, but despite whatever quality control and ad inventory checking is in place at major search engines this keeps happening anyway. With this in mind:

• You probably have the URL you need. It’s somewhat unusual for many people to have zero idea of the genuine URL for a major brand, service, product, and so on. Your first interaction with said entity will almost certainly have their genuine URL printed on a banner, box, instruction manual, or anything else you care to mention. Navigate directly to the site in this instance, because you don’t need to go digging around in search engines.
• Careful searching. If you do need to go looking, cross reference the URLs you see in search engines with a search of your own. If it’s legitimate, you should see a large number of people and businesses referencing it.
• Report bad ads. If a sponsored ad is up to no good, there should be a way to report from the search engine in which you found it. You’re doing your part to help the next person who comes along stay safe!
• The thorny blocking issue. If you choose to block ads, be aware that the way you block may break functionality of the site you’re on. Some sites will insist you turn off your ad blocker. Others may simply not work anymore if you use script blocking or turn off JavaScript. It’s not so much a case of “job done”, as it is “job just getting started”.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Users of multiple Zoho ManageEngine products are under urgent advice to install the patch issued October 27, 2022. The advice is urgent because on January 13, 2023 the Horizon3 Attack Team tweeted that Proof of Concept (PoC) code and a deep-dive blog will be released within a week.

Mitigation

A long list of vulnerable ManageEngine products and their fixed version can be found in the ManageEngine advisory. Clicking on the URLs under Fixed Version(s) behind the affected product takes you to the update instructions for that product.

The vulnerability

The vulnerability, listed under CVE-2022-47966, is described as an unauthenticated remote code execution vulnerability. The vulnerability is caused by the use of an outdated third-party dependency, Apache Santuario. Apache Santuario is used for XML syntax and processing. The vulnerability allows a successful attacker remote code execution with SYSTEM level access, meaning the entire system could be compromised.

Zoho used Security Assertion Markup Language (SAML) to simplify the authentication process. SAML is an open standard used for authentication and based upon the Extensible Markup Language (XML) format.

According to Horizon3:

The vulnerability is easy to exploit and a good candidate for attackers to “spray and pray” across the internet.

Exploit

An attacker would need to send a specially crafted SAML request to trigger the exploit.

Please note that depending on the specific ManageEngine product, this vulnerability is exploitable if SAML single-sign-on is enabled or has ever been enabled. So, even if you do not currently have SAML enabled, you are under advice to install the patch with priority.

A Shodan scan performed by the researchers showed 5255 exposed instances of ServiceDesk Plus of which 509 have SAML enabled, and 3105 exposed instances of Endpoint Central, of which 345 have SAML enabled. At the moment we have no knowledge of active attacks against this vulnerability, but that might change rapidly once the PoC code is available.

In September, 2022, an RCE vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier) were found to be being actively exploited after several PoCs and a Metasploit module for it were made public.

IOCs

IOCs for ServiceDesk Plus, Endpoint Central, and Other ManageEngine Products can be found in the blogpost by Horizon3 about this vulnerability.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Software development service company CircleCI has published its incident report on a breach that happened in December.

CircleCI revealed an engineer’s laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer’s session cookie. The company didn’t provide information on how the malware got onto the laptop.

From the report:

“This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems.”

In this case, the session cookie was an authentication token, described in the report as a “2FA-backed SSO session” cookie. This is a kind of authentication cookie that is stored by a web browser after you successfully log in to a website. When the browser interacts with restricted content, it uses the cookie to prove that you have logged in, so you don’t need to reenter your password over and over again.

Stealing a user’s authentication cookie gives an attacker exactly the same access as they’d get if they stole the user’s password and logged in. In this case, the account wasn’t just protected by a password, it was also protected by some form of two-factor authentication (2FA). By stealing an authentication cookie, the attacker was able to perform an end run around the 2FA (and any other forms of authentication) protecting the acount.

Thankfully, stealing authentication cookies isn’t easy, and in this case the attacker was only able to do it by installing malware on on an engineer’s laptop, from where they could probably have stolen the victim’s passwords and 2FA tokens eventually anyway.

A customer alerted the company to “suspicious GitHub OAuth activity” on December 29, 2022, leading to the conclusion that this customer’s OAuth token had been compromised. As a result, CircleCI says it proactively began rotating all customer-associated tokens on their behalf. These include Project API, Personal API, and GitHub OAuth tokens.

CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate “any and all” their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023.

Because the victim employee is an engineer who routinely generates access tokens, the attacker “access[ed] and exfiltrate[d] data from a subset of databases and stores, including customer environment variables, tokens, and keys. The company also has reason to believe that reconnaissance activity took place first on December 19 before an exfiltration activity was spotted on December 22, just days after.

“Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data,” the report further says.

Since then, CircleCI says it has been improving its infrastructure by adding behavior detection to its antivirus and mobile device management (MDM) system. It’s also restricted access to its production environments and increased the security of its 2FA implementation.

This recent cybersecurity incident with CircleCI isn’t a first. In 2019, the company was breached following a supply chain attack against its analytics vendor. Its account with the vendor was compromised, giving attackers access to some user data, which includes usernames and email addresses associated with GitHub and Bitbucket.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last month, the TikTok user TracketPacer posted a video online called “Network Engineering Facts to Impress No One at Zero Parties.”  TracketPacer regularly posts fun, educational content about how the Internet operates. The account is run by a network engineer named Lexie Cooper, who has worked in a network operations center, or NOC, and who’s earned her Cisco Certified Network Associate certificate, or CCNA. 

In the video, Cooper told listeners about the first spam email being sent over Arpanet, about how an IP address doesn’t reveal that much about you, and about how Ethernet isn’t really a cable—it’s a protocol. But amidst Cooper’s bite-sized factoids, a pair of comments she made about something else—the gender gap in the technology industry—set off a torrent of anger. 

As Cooper said in her video:   

“There are very few women in tech because there’s a pervasive cultural idea that men are more logical than women and therefor better at technical, ‘computery’ things.”

This, the Internet decided, would not stand. 

The IT industry is “not dominated by men, well actually, the women it self just few of them WANT to be engineer. So it’s not man fault,” said one commenter. 

“No one thinks it’s because women can’t be logical. They’re finally figuring out those liberal arts degrees are worthless,” said another. 

“The women not in computers fact is BS cuz the field was considered nerdy and uncool until shows like Big Bang Theory made it cool!” said yet another. 

The unfortunate reality facing many women in tech today is that, when they publicly address the gender gap in their field, they receive dozens of comments online that not only deny the reasons for the gender gap, but also, together, likely contribute to the gender gap. Nobody wants to work in a field where they aren’t taken seriously, but that’s what is happening. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cooper about the gender gap in technology, what she did with the negative comments she received, and what, if anything, could help make technology a more welcoming space for women. One easy lesson, she said:

“Guys… just don’t hit on people at work. Just don’t.” 

Tune in today.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

On January 12, 2023, the Liquor Control Board of Ontario (LCBO) published a news release about a cybersecurity incident, affecting online sales through LCBO.com. It is one of the largest retailers and wholesalers of beverage alcohol in the world.

Web skimmer

The cybersecurity incident was a web skimmer, which is designed to retrieve customer payment information. Or, in the words of the LCBO:

“an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process.”

LCBO has reset all LCBO.com account passwords.

Magecart

The web skimmer was identified by experts as a Magecart web skimmer. The malicious code injected was inside a Google Tag Manager (GTM) snippet encoded as Base64. The abuse of this legitimate Google service has been ongoing because it provides attackers free infrastructure upon which they can host their scripts, while also granting enhanced capability to avoid detection.

Malwarebytes’ Director of Threat Intelligence Jérôme Segura commented:

The attack on LCBO’s online portal follows a trend we’ve seen before of injecting malicious code disguised as legitimate snippets such as Google Tag Manager. In this case, the threat actor added an extra level of stealth by loading the skimmer code via a websocket, instead of a more typical HTTP request. LCBO took quick action to take its site offline and publicly acknowledge and disclose the issue which should be commended.”

The code only loads the skimmer if the current URL contains the string ‘checkou’ (note the missing ‘t’). It then opens a websocket for communication which is more covert than a typical HTTP request. The Magecart domain is: magento-cdn[.]net, which was registered less than a month ago.

Stolen information

According to the press release, customers who provided personal information on check-out pages and proceeded to the payment page on LCBO.com between January 5, 2023, and January 10, 2023, may have had their information compromised.

The stolen information could include names, email and mailing addresses, Aeroplan numbers, LCBO.com account password, and credit card information.

LCBO is looking to contact those affected directly, but in the meantime all customers who initiated or completed payment for orders on LCBO.com during that time period should monitor their credit card statements and report any suspicious transactions to their credit card providers.

The vast majority of payment card records that are stolen by Magecart groups using the GTM container method were later offered for sale on Dark Web marketplaces.

Preventing web skimmers on your site

Operating an e-commerce website comes with certain responsibilities, especially if payment information is handled through it. It is usually a safer (and easier) practice to outsource the handling of financial transactions to larger, trusted parties. PCI compliance and risks associated with collecting data can be overwhelming, especially for site owners that would rather focus on the business side of things.

Third-party resource integrity checking is one security aspect that has been overlooked but can provide great benefits when loading external content. The reality is that a website usually cannot host all the content itself, and it makes more sense to rely on CDNs and other providers for speed and cost reasons.

This relationship does not necessarily mean having to weather the issues experienced by a third party. There are a number of threats that can be disseminated via third-party libraries. For this reason, implementing safeguards such as Content Security Policy (CSP) and Subresource Integrity (SRI) can help to mitigate many issues.

Not falling victim

One thing to keep in mind as consumers is that we are largely placing our trust in the online stores where we are shopping. For this reason, it may be wise to avoid smaller sites that perhaps do not have the same level of security as larger ones.

Using browser plugins such as NoScript can prevent JavaScript loading from untrusted sites and therefore reduces the surface of attack. However, it has the same shortcomings when malicious code is embedded in already trusted resources.

Magecart and other web skimmers can be mitigated at the exfiltration layer, by blocking connections to known domains and IPs used by the attackers. It is not foolproof, though, considering how trivial it is to register new properties. But infrastructure reuse is something we still see quite often.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.