CyberWire Daily - Inside Magecart and Genesis. [Research Saturday]
Episode Date: December 21, 2019Dan Woods is VP of the intelligence center and Shape Security. He shares insights on two noteworthy attacks tools, Genesis and Magecart. Before joining Shape Security Dan served as assistant chief age...nt of special investigations at the Arizona attorney general's office, where he investigated complex fraud. Prior to that, he spent 20 years with federal law enforcement agencies and intelligence organizations, including the CIA and FBI, where he specialized in information operations and cybercrime. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So mage card is really a word that is used to describe just a whole category of criminal
organizations that skim credit card information from the payment pages of websites.
That's Dan Woods. He's VP at Shape Security's Intelligence Center.
Before joining Shape Security, Dan served as Assistant Chief Agent of Special Investigations at the Arizona Attorney General's Office,
and prior to that, 20 years in federal law enforcement with the CIA and the FBI. The way it works is anytime your
browser loads a payment page, you know, and this is the page that where you enter your name,
your billing address, your credit card number, expiration, CVV, and so on. There's a lot of
JavaScript that loads in the background. Some of these payment pages have, you know, 10, 15, 20 different
JavaScript files that all load. What Magecart refers to is the criminal organization's attempt
to modify one or more of those JavaScript files so that when it's loaded, it is doing something
malicious. Specifically, it is taking all the information entered into the payment page
and serializing it into an array and then sending it to some drop site
where the criminal organization can then exploit it.
So it's really just making changes to the payment page, to the JavaScript,
that the owners of the website
aren't aware of.
And over time, as customers enter in their payment information into that payment page,
it is siphoned off and sent to the criminal organization for exploitation.
And so the payment page itself continues to function as the owner expects it would?
It does.
In fact, even if you looked at the JavaScript being loaded, the criminal organizations have gone through great lengths to make sure that their JavaScript, their changes to that JavaScript, kind of blend in with the existing JavaScript.
And we're talking about 20, 25 lines of code.
It's not much.
existing JavaScript. And we're talking about 20, 25 lines of code. It's not much. And like the drop site where they will send this information will oftentimes closely parallel the victim website.
So in the British Airways example, you know, British Airways is the domain or is the website
and the drop site was baways.com. So, and victim after victim after victim, the URL and the drop site was baways.com. So victim after victim after victim, the URL
of the drop site tries to closely match that of the victim organization. So it takes a
really trained eye to look at those JavaScript files and identify that malicious changes
have been made.
And by what methods are they going in and making the changes to the JavaScript files?
Well, oftentimes these JavaScript files are created by third parties and even hosted by third parties. So they'll attempt to compromise those third parties. British Airways example, I think it was a JavaScript file served by something called
Modernizer that they were able to make changes to. So then when the British Airways site loaded
that JavaScript file, it also loaded the changes that the criminal organization introduced.
So not making changes to the British Airways infrastructure, but to third parties that the British Airways
infrastructure relies upon. Now, when someone who has fallen victim to this finds out that
their website has been compromised, how does that usually play out? Are there indications?
At what point do they know they have a problem? Well, you know, it depends on the level of attention that these organizations are paying to the runtime environment.
In Clarity, there's an organization, Clarity Connect, that was also targeted by a Magecart.
The administrators noticed that the changes had been made to the JavaScript file, so they removed it.
And then they were subsequently added again, and they
removed it again. So what happened is the bad actor sent a message to the administrators,
something like, if you will delete my code one more time, I will encrypt all your sites,
you very bad admins. So it all depends on the level of attention that the victim site is paying to the runtime environment.
So the lesson here, if you're going to protect yourself from Magecart, you need to monitor your runtime environment.
And if there are any changes, then alerts need to be fired so people can look at those changes and make sure they're authorized.
Can we dig into that a little bit? Can you describe to us what does that process entail?
Well, what happens is, you know, Magecart and other malware like it, they must, you know,
hook into the same browser APIs that the legitimate developers do. So when they do that,
they're creating a signal or an anomaly that are detectable but you have
to be you know looking for it in order to detect it and is is that some of the
the types of tools that you provide its shape indeed right that anything that
negatively impacts our customers these are problems that we are attempting to
solve including protection against magecart and malware like it well let's
move on to Genesis can you give us a description? What are we dealing with here?
Yeah, Genesis is an online marketplace. It's not even on the dark web. Anybody can point their browser to it.
And it's meant to defeat the we don't recognize your device countermeasure that is implemented using browser fingerprinting. And I'm sure you've
encountered that before when you go to log into your bank from a new browser, it says, you know,
we don't recognize your browser, we don't recognize your device. And then a second factor of
authentication is typically triggered. Well, you know, fraudsters, you know, that's an obstacle to
them. So they've come up with, you know, a way of circumventing that.
So what happens is you have malware that is sitting on, you know, a victim's machine,
and it's collecting not just usernames and passwords, but it's collecting all the attributes
that are used to generate browser fingerprints. So things like, you know, browsing history,
screen size, cookies, a lot of the attributes that a browser fingerprinting
countermeasure would use to generate that browser fingerprint is all being collected by the malware
and sent up to the Genesis marketplace. And then a bad actor will use a Chromium-based browser
and a Genesis security plugin. And what the Genesis security plug-in and what what the Genesis security plug-in will do is
take all that information collected by the malware and
Turn the the chromium based browser into a close replica of the victims browser
You know and there are probably the last time I checked over a hundred and eighty
Thousand of these well Genesis marketplace calls them bots, but they're not really bots.
It's kind of a misnomer.
It's just a collection of usernames, passwords, and browser attributes, cookies associated with a victim machine.
And about 180,000 of these up there.
And that may not seem like a lot, but keep in mind when you buy one,
it is removed from the marketplace. And I've just randomly grabbed 10 or 20 of these bots to see how
long they stay on the marketplace. And they're typically gone within a few weeks, you know,
sold to somebody. So 180,000 of these so-called bots translates to millions of compromised machines collecting usernames, passwords, and browser attributes every few weeks.
It's being kind of recycled throughout the marketplace.
And so the notion here is that it's one step that they can use to try to circumvent, say, a call for a second factor in authentication.
That's correct. And it's pretty effective, meaning that the information that it collects
from the victim's machine isn't just the information needed to generate a browser
fingerprint. It has virtually everything about that environment that the bad actor needs
in order to circumvent that countermeasure. And again, in terms of prevention, if I want to
keep these sorts of bits of information from being harvested from my machine,
what are your recommendations? Well, you know, we protect our customers from Genesys by detecting it in the data that we collect.
We know when Genesys is being used.
But from an individual's perspective, how they protect just visiting questionable sites, clicking links,
downloading email attachments, and executing them without being cautious, it's a tough problem to
solve because generally the typical user is rather careless when it comes to their computer security
countermeasures. Before I wrap up with you, I want to talk a little bit about
some of your background. You have an interesting professional history. You spent time in the
Arizona Attorney General's Office. You had a lot of fraud investigation there. Can you take us
through what was that experience like? Before the Attorney General's Office, I worked as an FBI agent in Washington, D.C.
And I loved that job.
It was a great job, but there was always the risk that you could be transferred to a field office that wasn't conducive to your personal family life.
What I liked about the Attorney General's office, it was just like my job at the FBI.
That is, I was investigating white-collar crime and fraud
and computer tampering, money laundering, the kinds of things I love to investigate.
But there was no chance that I could be transferred to some other state. I could just
focus on my work and have a good family life. And so what kinds of things were you tackling
there, but particularly in the cyber domain?
Well, a lot of the computer tampering cases that I investigated involved typically a rogue IT person who would exceed his or her access or authorized access in order to do something malicious.
something malicious. And then, you know, one thing that I learned early on in my career is that even though, you know, I'm an engineer by computer engineer by education, and oftentimes people say,
you know, computer engineering and law enforcement don't seem to overlap. So how, why did you study
computer engineering and then go into law enforcement. And it actually does overlap quite a lot.
It isn't just computer tampering and computer hacking cases that require technical skills.
I probably use my engineering education and my computer expertise on every single case,
whether it be a drug case or, you know, it could have been a burglary because oftentimes these cases
involve digital evidence and like a computer is seized and emails are extracted so understanding
email headers and how to geolocate somebody understanding the you know how useful or useless
an ip address can be in attempting to identify the perpetrator.
All of these things are important for virtually every type of investigation, not just computer crimes.
Now, from your perspective, the time you spent in all those investigations, are there areas where you think people are generally falling short? I mean, do you have general advice from the time
you spent sort of on the inside of those sorts of investigation, things that people should be
doing that perhaps they're overlooking? I think without fail, it's leadership's
inability or unwillingness to give it the funding and the priority that is needed.
It's typically not funded well, not staffed with experts because
they don't want to pay for experts. And then they're victimized and they wonder why. And you
can see this play out across, I mean, just read the papers and you'll see the people with the very
best cybersecurity posture with the best staff are typically those who a few years earlier
encountered huge breaches and lost hundreds of millions of dollars in brand value because of
very public breaches. Unfortunately, people are waiting until there is a breach, until
their customers are victimized, until their brand is damaged, before taking cybersecurity
seriously. You know, I've heard in conversations I've had with other folks at the FBI that
a lot of times it's been their experience that people are hesitant to reach out to the FBI or
law enforcement, that they're embarrassed or they don't want the publicity but do you have any insights there is that is that a
good line of thinking or should they overcome that and reach out well I think
they should overcome it and reach out but FBI hasn't helped itself by you know
those companies who do reach out there is often times you know, those companies who do reach out, there is often times, you know, public exposure of the
information. So FBI needs to do better at protecting, you know, the companies that are
coming forward, and the companies need to, I think, come forward more often. So both are at fault
there. I think one thing that companies can do more of that they're not doing is reaching out to their victims.
For example, we talked about Genesis and the malware collecting all of these usernames and passwords.
Well, right now, what customers will do is just reset the password.
Well, that's kind of a fool's errand because there's malware on the victim's computer.
The bad actor will just get the new password once the malware collects it.
So the better course of action is to reach out to the victim and say,
hey, you have malware on one of your computers.
We'd like to get a copy of it so that we can understand it.
We'd like to know, did you click on any links recently?
Did you get any phishing emails or text messages?
you click on any links recently? Did you get any phishing emails or text messages? There's a lot of intelligence that could be gathered simply by reaching out to these victims, but nobody's doing
it. They're just continuing to reset passwords and hope that, you know, the victim is protected.
Our thanks to Dan Woods from Shape Security for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.