He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bankcard data.

“Such an approach was so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it refers to a whole class of such attacks”, – remind history specialists of the information security company RiskIQ.

If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM, there were already about 40 of them.

The researcher studied one of these malicious JavaScript and noticed that it collects all data from the input fields filled by victims and sends it to Telegram.

All transmitted information is encrypted using a public key, and having received it, a special Telegram bot sends the stolen data to the chat in the form of ordinary messages.

Affable Kraut notes that this method of data theft, apparently, is very effective, but it has a significant disadvantage: anyone who has a token for a Telegram bot can take control of the process.

Malwarebytes’ leading researcher, Jérôme Segura, was also interested in the script, and after examining it, he said that the author of this web skimmer used a simple Base64 for the bot ID, Telegram channel and API requests. Below you can see the diagram left by Segura and describing the entire attack process.

The researcher notes that data theft occurs only if the current URL in the browser contains one of the keywords indicating that this is an online store, and only when the user confirms the purchase. The payment details will then be sent to both the payment processor and the cybercriminals.

Jerome Segura writes that such a data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Segura writes that such data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Let me remind you that scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.

Responsibility for this campaign is put on the hacking group Chimborazo, which experts have been observing since January this year.

This campaign was named Chimborazo Dudear. Initially, hackers acted according to the classical scheme and applied malicious Excel documents to phishing emails. Then they switched to links embedded in messages. In recent weeks, the group began sending out phishing emails containing links to redirecting sites (usually legitimate resources that were hacked), and sometimes an HTML attachment containing a malicious iframe is attached to the emails.

By clicking on such a link or opening an attachment, the victim will in any case be taken to the site with the download of a malicious file. However, before accessing the file itself, the user will be forced to solve CAPTCHA.

Thus, the attackers tried to impede the work of automatic defense mechanisms, which should detect and block such attacks. Typically, this analysis is performed using bots that download malware samples, run them, and analyze them on virtual machines. CAPTCHA guarantees that a living person will load the malware sample”, — say Microsoft analysts.

Let me remind you, that by the way, 82.5% of Microsoft Exchange servers are still vulnerable.

In January of this year, Security Intelligence specialists already wrote about the attacks by the Chimborazo group. Researchers then said that a hacker group uses IP address tracking to identify computers from which they downloaded a malicious Excel file. Presumably, this was also done in order to avoid automatic detection.

Malwarebytes expert Jérôme Segura writes that the use of CAPTCHA by hackers is a rare but not unprecedented case. For example, he refers to a tweet from another information security specialist, dated late December 2019. Then, was also discovered a fake CAPTCHA, which the attackers successfully used to complicate the work of automatic analysis.

Discovered by Microsoft CAPTCHA may also be fake. As you can see in the picture above, the attacker site claims to use reCAPTCHA, but below it is stated that Cloudflare provides protection against DDoS attacks. These are two separate services, although it is possible that the hackers used both separately.

The post Hackers force users to solve CAPTCHA appeared first on Gridinsoft Blog.