Darknet Diaries - 52: Magecart
Episode Date: November 26, 2019Credit card skimming is growing in popularity. Gas pumps all over are seeing skimmers attached to them. It’s growing in popularity because it’s really effective. Hackers have noticed how ...effective it is and have began skimming credit cards from websites.GuestThanks to Yonathan Klijnsma from RiskIQ.SponsorsThis episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project.Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices – all in one place. Visit honeybook.com/darknet to get 50% off your subscription.This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit https://cmd.com/dark to get a free demo.Visit darknetdiaries.com for full show notes and transcripts.
Transcript
Discussion (0)
In October 2015, Carlos, a Florida man, was manufacturing credit card skimming devices.
These are little devices you can stick on a gas pump, and anyone who comes and swipes their credit card at the gas pump will get their number saved to this little device.
It's a popular attack because not everyone is watching the gas pumps, so you can easily sneak your skimmer onto it.
It's hard to sneak a skimmer onto like a point-of point of sale terminal in a store because the clerk is standing right there.
But gas pumps are usually standing right there in the open for anyone to just go use.
Carlos' skimmers were slick. They were small, battery powered, and can store up to a gigabyte
of data on them. He stuck one on a gas pump and came back a few days later
and plugged a USB cable into it and downloaded all the credit card data off there. This is called
track data. And this was amazing for Carlos. So now that one skimmer seemed to be working pretty
well, Carlos started planting more and more skimmers all over Miami, Florida. Then he'd come
back, hook up a USB cable and download all the card track data.
Carlos thought this was great.
But now what?
How do you turn the track data into money?
He thought about this.
One could try selling the track data online,
but you don't get that much for each card.
Carlos was, after all, a DIY kind of guy.
So he bought a credit card writer
and a bunch of blank credit cards.
He would then transfer the credit card track data to these blank cards.
This allowed him to go to the store and buy stuff with these stolen cards.
But Carlos had a lot of stolen cards.
So he got two more Florida men to help him.
Two guys named Yordono and Gilner.
Carlos wrote about 50 credit cards to blank cards and gave guys named Yordono and Gilner. Carlos wrote about 50 credit cards
to blank cards and gave them to Yordono and Gilner and sent them both to Washington state
to try to cash in on this. The theory was that Washington was on the opposite side of the U.S.
from Florida, which was far away from Carlos, giving him a perceived security buffer. But on
top of that, he made them go to Spokane, Washington, which is far away from Seattle
where the FBI or Secret Service might be stationed and looking for this kind of activity. Spokane was
just far enough away from the feds and just big enough to have enough unique stores around town
to do this. The plan was to buy as many gift cards as possible with these stolen cards. So the two
men started buying tons of gift cards, like $200 prepaid Visa cards. So the two men started buying tons of
gift cards, like $200 prepaid Visa cards. And they did this, a lot of this. They bought tons
of gift cards with these stolen credit cards that Carlos gave them. See, gift cards don't have a
name attached to them, so it's much easier to use them anonymously or sell them. It's a way to
launder the money. The plan was going great, and Carlos, back in
Florida, was telling them he'd buy all the gift cards for half price, giving everyone a nice cut
of the whole operation. The math still works out. If Carlos could get like $100 per stolen card,
that's still way more than selling them on the black market. So everyone here was happy.
But then, one of the stolen cards happened to be stolen by someone who lived in Washington state.
They saw this fraudulent purchase and immediately reported it.
Quickly, the authorities got the CCTV footage of the store and saw Yordono and Gilner buying these gift cards.
The authorities found what hotel the two were staying in and arrested them.
And the cops found a total of $35,000 in gift cards in their hotel room.
Both were found guilty of credit card fraud. But Carlos was still back in Florida. He wasn't quite
in the clear, though. He was brought to Washington and charged as a conspirator. But with a typical
trial, he was placed on a standard release condition until his trial began. So he went back home to Florida to wait
for the trial. Now this is where Carlos, our Florida man, really shines. While on release for
his trial for credit card fraud, Carlos continued to make skimmers and put them on gas pumps all
over Miami. And he would continue to scrape the data off these devices, stealing more and more
cards while waiting for his trial. The police
searched his apartment and found even more stuff than he originally was charged with,
and this brought all new charges against him. He was found guilty in both Washington and in Florida.
He had to serve a 30-month sentence for his crimes in Washington, and Florida gave him an additional
144-month prison sentence. This Florida man is going to serve a total of 14 years in prison
for skimming credit cards.
And that case is closed.
There's no more skimming going on in Miami now, right?
No, not exactly.
Skimming like this is growing in popularity.
And in fact, the Secret Service has seen such a problem with it
that they had to enact Operation Deep Impact to combat this. And due to its popularity, it's not just credit card readers
anymore. This problem of credit card skimming has now infected the online world too.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless and it's not a fair fight. But I realized I don't need
to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription
service that finds and removes personal information from hundreds of data brokers websites
and continuously works to keep it off. Data brokers hate them because Delete.me makes sure
your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring Thank you. by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries, use code darknet.
So as I was saying, credit card skimming isn't just at the pump. It's happening online in ways
that you might not be aware of, and I want to talk about it. So today we're going to talk to
one of the leading researchers of this problem. My name is Jonathan Kleinsma, and I'm the head
of threat research for RiskIQ.
Is it Yonathan or Jonathan?
Technically Yonathan, but we say Jonathan. I'm Dutch, so the pronunciation, it was two ways.
Okay, so Jonathan works for this company called RiskIQ,
and what they do is nothing short of amazing.
I'm the head of threat research within RiskIQ, and RiskIQ, what we do is we do data collection. And one of the
biggest points of data collection for us is web crawling. So we do about 2 billion pages a day.
And it's not just like sending Wget to a website. It's a custom made engine running JavaScript,
interpreting JavaScript. Jonathan has this insane web crawling bot that goes out to 2 billion
websites a day.
Like it goes to Alexa's top 2 million and then spiders out from there.
And he's able to do research on what he finds.
He can filter it, organize it, compare it, alert on it.
And what he's looking for is malicious activities on these websites.
This is what a threat researcher might do.
Scour the internet looking for seriously bad stuff to investigate on.
We've been crawling for a long time.
So one of our key things is history.
We have a lot of that.
So even if we find something later on, because, you know, it's like antivirus products.
It's cat and mouse.
If something is completely new, done in a way that's never been done before, nobody will detect it until they figure out what it is or until they've been told what it is or until they see it.
So one of the things is if we find something that we hadn't seen before, we can always go back and see when something started, when something first appeared.
This to me is incredible because basically Jonathan has historical records of two billion web pages that he can pull up from days ago, weeks ago, months ago, years ago.
This is sort of like his own private Wayback Machine. And he can look to see what was on
those pages for as far back as years. But more specifically, he can look to see what malware
might be on those pages. Yet websites can exploit your browser. If you have an outdated browser or
plugin or something, a web page can take control of your browser and infect you.
It does this through JavaScript or Flash or Silverlight
or some backend language or something else.
And our main point is just this data collection
and we can make conclusions on the data.
One of the things we're able to do is
if we point our file to a website,
it can tell us it's running WordPress version something
with these plugins installed on an Apache server that has PHP version something
and will map C to E, for example, to it.
But the threat research team is there to find the bad stuff.
So when we're crawling a website, it could be that there's a skimmer on there.
It could be that you're being redirected to an exploit kit.
It could be that there's just some scams going on and you're being redirected to an exploit kit. Could be that
there's just some scams going on and you're redirected to like a tech support thing.
Sometime back in 2015, the team at RiskIQ started noticing some interesting stuff happening to
websites running Magento. Magento is an e-commerce site builder, just like how you can download
WordPress and have it host your own blog. Magento is the same thing, but for making online stores. So you download the Magento PHP bundle,
and it has templates and themes for how your store looks. So you customize the store to make it look
to how you want, and then you list the items you want for sale, and then you publish it. Now people
can go to your Magento store, see your selection, put the items in the cart,
and check out. And of course, when they check out, they enter their credit card details to buy something from you. Very cool for someone who wants to set up an online shop, but also comes
with a risk. See, Magento itself is safe and secure. I mean, it's owned by Adobe at this point,
and it's open source, and there's a lot of developers working on it. But there are people who quickly set up their online shop using Magento and don't think much
about the security and they think they're done. And then they focus on their product and marketing.
But what the shop owners fail to do is put any focus on security. If you don't update Magento,
it can become vulnerable to well-known attacks. If you don't secure your servers that you're hosting it on, it can leave you open. And yeah, if you don't use strong
passwords to access Magento as an admin, then yeah, you get it. And here's the crazy part.
There are over 100,000 online stores right now running Magento. Even if 1% of them didn't have
good security, that means 1,000 online stores are easily hackable.
And this can be a problem.
And it is a problem.
A problem that Jonathan saw.
He saw there was a particular group of hackers online looking for exploits in Magento.
When we were originally looking at this, back in 2015, these guys would always compromise Magento.
One of the files they would modify originally was mage.php,
which is one of the core files of Magento.
And they would skim you when you would go to your checkout to your cart.
So we had to give it a name internally to reference it.
And at some point, this turned into a mage cart.
Well, this group of hackers in 2015 had found their way into websites running Magento
and then found where the checkout section was
and put in some JavaScript to make a copy of any credit cards
that were entered on that page,
giving the hackers a copy of the credit card.
They were doing credit card skimming on the website.
And the team at RiskIQ called this group MageCart.
The skimming code is a small piece of JavaScript.
It can be as small as 15 lines, but we've seen them up to 1,500 lines. Magecart. into a website. And, you know, from the browser perspective, it's just another script because
browsers don't really differentiate. Once you load up a webpage, there's a whole lot of stuff
happening. If you're on a mobile device, they change how the website looks. If you're on a
desktop, they change how it looks. These scripts have the same level of access to any data in the
webpage. So once you're entering payment data, the same script that gives you a pop-up to,
I don't know, submit your email address to subscribe to a newsletter, the same script
also has access to this payment data. There's no differentiation. But once these bad guys just get
their script running on your website, that's all they need. Because that script basically goes
through everything that you see on the website. And when you're entering the payment information
on your payment form,
what they look for is this form.
And there's different ways of identifying this form.
Some of them look for really identifiable names
like payment form or payout,
or they look for fields that have names
like a CC number or credit card number.
Once they identify a form
that might hold potential payment data,
they wait for you to hit the button for payment,
which what actually happens when you do this is you submit this data back to the website.
In the terms of the browser, it's called submitting a form.
And these skimmers, these small people in the house could wait for you to do this.
Once you do this, they quickly take your form data, send it over to their own server
so they have your card data, and then they let it go through as if you normally submit your data
for payment during a checkout process. Yikes. In as little as 15 lines of JavaScript,
your credit card can land in the hands of the wrong people who can then do what they want with
it. I mean, if you think about what you enter on the website, you put your name, the credit card number,
the expiration date, and that little code on the back.
That's more than enough for a criminal
to just use to buy something else on another website
or print that number to a blank card and go buy gift cards.
But in order for this to work,
the hackers need to put that malicious JavaScript
on the website in order for it to execute.
Getting it on the website isn't always easy,
but there are some ways to do it.
A lot of different ways.
Some of them breach these websites directly.
So an online store can be breached directly
and they find a way to load in the script by putting it,
for example, a lot of these platforms
have the option to add Google Analytics code, for example.
You can add your little snippet of Google Analytics to the footer.
What they sometimes do is they add their JavaScript to the snippet for Google Analytics.
There's just a lot of different ways you can add it depending on the platform.
But the way to get it on the website is you either breach it directly or you go through a third party, like I said.
A lot of websites load in ads, load in live chat support from remote services, a whole bunch of different things.
So you can be compromised through a supply chain by which you technically not have a lot of control over.
Because you don't control the servers for the live chat service that you have on your website.
But if the bad guys get in there and they put their script in the live chat surface scripts, it gets loaded with that. And we've observed just this a whole bunch of times.
You might not think about the supply chain of websites, but if you're a website owner,
you should. Most websites today don't just run HTML and that's it. They also use CSS,
which stylizes the page. And then they bring in JavaScript, which brings in more features and functionality.
But typically you don't code all the CSS and JavaScript yourself.
You find a library that someone else made and bring it over.
So now you're running code on your website that you didn't write.
And when your users come to it, that JavaScript you took from some other library executes in the user's
browser. Now, all this is fine because you're probably using an open source library that has
all its bugs squashed and people are actively updating it. But here's the thing. A lot of
people who run websites don't host this JavaScript library themselves. They just link to it. So when
a user comes to their site, it says, oh, you need this jQuery library from this other site before you can see this page.
And your browser just automatically goes to that site, gets jQuery, and runs it.
Think about like going to a store to buy bottled water.
The store didn't bottle the water.
They ordered it from a bottling plant and then stocked it for you to buy.
The store trusts that bottle of water is good and won't make people sick.
But what if someone did get into the bottling company and poisoned the water?
Then that water gets bottled and shipped to many stores all over.
This is poisoning the supply chain.
The same thing can happen online.
Imagine what would happen if that central JavaScript library got hacked
and started hosting JavaScript libraries with credit card skimming code in it.
Yikes.
And that's just what happened with Magecart.
The hackers were getting this malicious JavaScript into these sites through the supply chain.
And that's the current one we've seen.
Some 17,000 or so websites, probably a lot more by now,
that are just loading content from S3 buckets that are not secured properly
or incorrectly configured, basically.
And they end up with skimming code.
And the thing is, the website owners would never know
if their supply chain got hacked
unless they go through and look at every line
of JavaScript code to confirm it's correct.
And then do that every day to make sure it hasn't changed.
Well, that's where Jonathan and his team come in. They're looking at this particular thing every day. And what they're
seeing is staggering. There are tons and tons of websites out there that have malicious JavaScript
running on them. Way too many. And one example, I can give you one third party supplier that we
observed hit about 100,000 websites and it appeared that it was affected.
And that's just one third-party.
Would all those websites be e-commerce?
I mean, my blog doesn't have a credit card form, you know?
Right, yeah.
So that's one of the things.
We see a lot of websites hit.
It's the same with the Amazon campaign that we see right now.
A lot of sites get hit.
Not a lot of them actually run payment data through their website. Not all of them are
e-commerce sites. So while we see a lot of them get hit, it's not always that, for one, they're
processing payments, or two, that the skimmer even reaches the payment or the checkout page,
because that's another thing. If you set up your e-commerce site properly, you shouldn't run
ads, for example, on your checkout page. You want to avoid running any external party on your
checkout page. We still see it happen, obviously, but it's one of the advice steps we give.
But from the third parties, it isn't always an e-commerce site. But it's kind of hard to tell you exactly how many, but it's going to be into hundreds of thousands easily.
And just to be clear, not all these sites that are compromised are running Magento.
This is just where the term is originated from and where we get the name.
The hackers have fanned out to many different platforms now, but also continue to target Magento sites.
It's a really prevalent problem.
Like, web skimming is sort of the go-to thing by now if you want to steal credit card data.
It's not as much direct breaches anymore.
It's just get a web skimmer on a webpage and you get payment data.
Now, while the Magecart hacking group initially started as a single group in 2015,
over the last four years, it's grown to be a common tactic used by many hackers.
So Jonathan originally had one Magecart Hacking Group,
but now there's Magecart Hacking Group 2 and Group 3 and Group 4 and so many more.
And they all skim credit cards from websites.
And while Jonathan was researching all this and tracking all these different groups, out of nowhere, he saw this on the news. Now, hundreds of thousands of British
Airways passengers have had their bank details stolen in one of the biggest data breaches to
hit a UK company. The airline discovered on Wednesday that bookings made between August
the 21st and September the 5th had been compromised with hackers taking credit card details along with emails and addresses.
And even the CEO of British Airways came on TV to say what's been stolen.
We know that information that has been stolen is name, address, email address, credit card information that would be credit card number, of course, expiration date, and the three-letter code in the back of the credit card.
Yeah, so on September 6th last year,
they announced that they had suffered a data breach.
So they put up a webpage.
They had some, I think, interviews pre-lined up with BBC.
They said they had about 380,000 affected customers, and they had a really specific timeframe for it as well.
So they said there was theft of customer data between 1058 British Standard Time, August 21st, until 945 British Standard Time, September 5th. So there is a really specific timeframe. And they basically
said, if you believe you may be ineffective because you made a booking or paid to change
your booking with a credit card or debit card on BA.com or the mobile app between these and
these dates, we recommend you contact your bank. And for us, when they started saying credit card,
debit card, BA.com or mobile app, something told us like maybe something's going on because we were expecting that at some point something big would happen.
So we took the fact that they said BA.com was affected, their mobile app was affected, and they had a really, really specific on-the-minute timeline.
Like the end time, you can kind of understand because that will be,
they investigated and they cleaned up.
So they will know once they cleaned up.
But they had a very specific timeline for when it started.
Now, keep in mind that the web crawlers at RiskIQ have been going out to British Airways
websites for years, taking a snapshot of everything there day after day.
And British Airways was not saying how they were hacked.
Even to this day, they never told us
how the hackers stole all these credit cards.
But Jonathan wanted to find out,
and he was in the perfect position
to look back at the history of the British Airways website
to see if he could find out what happened for himself.
And after the break, we'll hear what he finds.
Stay with us.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand,
is a teacher, and he's made it a mission to make Black Hills Information Security
world-class in security training. You can learn things like penetration testing, securing the
cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing
is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills
and showing them off to potential employers.
Head on over to blackhillsinfosec.com
to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com.
Blackhillsinfosec.com.
So what we started to do is just, okay, within that timeframe, let's first find what actually
happens.
So they said August 21st until September 5th.
So let's grab all our crawl data and go through their website and just see what happened during
that time.
And was there a change before that timeframe to within that timeframe? And was
there anything really specific? So we were going through crawls, a whole bunch of crawls.
So we started going through it and we noticed a change in the file. And specifically the file was
a JavaScript library called Modernizer. Now Modernizer in itself is nothing super interesting.
It's a way to make sure that your website
will work on older and newer browsers it kind of helps you with that but one of the things we
noticed that before this date that they gave so they said it started on august 21st and when we
went to the time frame the british airway said they were affected the file had been modified
on the 21st of august exactly the time frame they gave. But we were looking at the file because it was modified.
And we noticed that, you know, the technique that we observed so many times
at the bottom of this JavaScript library, they added a really, really, really tiny script.
And they made it even smaller by minimizing it.
But if you wrap it out and you look at it, it was about 22 lines of
JavaScript. It was very, very small. So the skimmer then would go through the payment form and pull
out the data and send it off. They did it in a very simple way. The reason for that is they just
grabbed it, push it out to the server, and once we have it, we'll go through it, sort it, and clean
it out and do all of that. Their point was just just we need to make sure that somebody's doing a payment and then just send
off all the data we can scrub it later just try to get as much while we have this organization
breached so they cut they changed just one javascript file and there are there are uh maybe
a hundred different files on that for the website for ba.com. Cause they, it's a big website.
There's a lot of libraries.
There's a lot of stuff going on. They modified just this file because they'd figured out that both mobile
transactions,
as well as desktop transactions would load in this file.
So they,
they done their homework.
They,
they really figured out what sort of the,
what it was like the,
the cross section between mobile,
mobile payments and normal
desktop payments, it was this file that was always loaded.
So they took their time to figure this out.
They went in, they breached BA.
We don't know how, but they breached BA.
They went on the server and they added their teeny tiny snippet of code to this modern
Azure library.
And with that, what BA confirmed, 380,000 people were affected just by this web skimming attack.
Whoa, this is crazy.
And that skimmer was only on BA's website for a month,
which is a big haul for using such a little piece of code.
And to hide it by sticking it in a well-known library
that you didn't write
means you'll probably never know it's there. Now, we don't know how BA discovered this,
but what typically happens is when people start using the cards fraudulently, they get reported,
and then the credit card companies will do a report on the reported cards to try to find a
common purchase point. This will then narrow down where they think the credit card breach
might have occurred and notify that company.
This might have been how BA discovered this,
but still today, there's been no explanation on how BA discovered this
or how the hack happened or what happened really.
British Airways never explained exactly what happened.
They tried to avoid it in any kind of media engagement.
And if you look at
what they did PR wise, they basically tried to flush it out with other news. So they tried as
hard as possible to make sure that nobody was talking about this. And up till this day, we still
don't know exactly what happened internally. The CEO said they would reimburse anyone who was a
victim of credit card fraud from this. And that seemed to be the end of this incident.
It quietly fell off the news cycles and disappeared.
Until this year.
In 2019, the ICO had one last say in the matter.
The ICO is a regulatory body in the UK, sort of like the Federal Trade Commission in the US.
They investigated this and thought British Airways wasn't following proper regulations regarding online security.
The ICO found that over 500,000 user details were stolen from this hack.
And after their investigation, they found that British Airways wasn't following proper GDPR policies.
Gave them a fine totaling 237 million US dollars, or 183 million British pounds. This is a record high
fine for anyone violating GDPR. But 237 million dollars is just 1.5% of their earnings during
the year they were breached. So it's enough to make BA notice this, but I'm not sure if it'll hurt him that much in the long run.
So now that Jonathan has been studying this mage cart hacking group
for a few years,
and he saw exactly what happened with British Airways,
he was able to take this knowledge
and searched his database of cached websites
to see if this same group might be hacking another website.
We know that this group, for them, this web skimming is sort of a tool in their arsenal.
We are, we, you know, it was, it was a week later.
So we published British Airways and then a week later, we were looking at this.
And they did find the same skimming code on another website.
This time it was on the website newegg.com. Now, the thing is, I'm not from the U.S. I'm Dutch.
So I've been looking at this, not being aware that Newegg was a big thing because I'd never
actually heard of it. And it was just one of the many hits that we were looking at when we go through our data.
Newegg is one of the largest retailers in the U.S.
In 2016, they made $2.6 billion.
It's one of the top 10 biggest online stores in the U.S.
They mostly sell computers and computer parts.
In fact, I've ordered many, many things from Newegg.
What happened there was it was another breach.
Newegg has kind of a different payment process.
And this is, again, where you can see that these guys are quite smart about it.
So we noticed that on August 13, they registered a domain called Neweggstats.com.
It was registered on August 13th. So going through our data on the Newark website, one of the things we noticed is that the checkout process is a little bit more elaborate than VA.
Their process goes that you need to go through the store, put in a product in your shopping cart.
You go to the first step of the checkout, which is where you enter your delivery information, like your billing address and your shipping address.
Then you click next.
You go to a new page.
And this is where you actually go and put in your payment information.
Now, in that page, directly in there, so it wasn't a JavaScript library like with British Airways.
They had put an additional script tag and they added some additional scripts. Now this one
was 15 lines. It was slightly smaller. They had condensed their code a little bit. But again,
this script would look for a really specific button. This one was specific to the Newegg
checkout. Again, they would do desktop payments and mobile payments.
By adding 15 lines of JavaScript,
the hackers were scraping every credit card
entered into Newegg's site.
And because this site was so popular,
they must have been getting
tens of thousands of credit cards a day,
maybe much more than that.
And what's worse is that Newegg
had no idea this was going on.
Jonathan and his research team
saw this while it was happening.
The hackers were live on Newegg's site, scraping every card they saw.
The team realized this was a big site, and even though they found skimmers on thousands of other sites,
this one was really big, and actually so big that they wanted to do more research about this and reach out to the site.
So Jonathan and his team moved quickly.
They grabbed all the details they could and gave all the information to Volexity. I don't know exactly why they worked with Volexity, but this is a company they trust
and it does incident response. So Volexity took this data and reached out to Newegg to tell them
about this problem and probably said at the same time, hey, if you want help cleaning it up,
we can help you. And within a short time after that, Newegg had their site cleaned up. In total,
the hackers had their skimmer code on the Newegg website for a total of 33 days.
So we were at a party which we published, Phylexity. They ended up talking with them
directly to inform them. We were doing this over the weekend to inform them. And then they got it
cleaned up. So they were informed, but they never made a very big public statement and up to date.
I don't know if they've done one, but even then, there hasn't been any update on it since.
There aren't any good articles online where Newegg admitted to this.
All I found was this tweet where Newegg said, quote,
Yesterday we learned one of our servers had been injected with malware, which was identified and removed from our site.
We're conducting extensive research to determine exactly what info was obtained,
and we're sending emails to customers potentially impacted.
Please check your email. End quote.
I'm concerned about this.
I'm a customer of Newegg, and I had no idea this happened until I talked to Jonathan here.
Newegg didn't email me about this breach,
and I
don't even think they knew about it until Jonathan found this and told them. And there's very little
from Newegg talking about this at all. When a company doesn't own up to the bad stuff that
happens to them, it just makes me wonder what other stuff they're hiding. If they had other
breaches, they probably wouldn't have told anybody about those either. Or what shady stuff might they be doing with
our user data? And now
I'm reading that until 2016,
Newegg was an American company,
but then a Chinese company
bought a majority stake in Newegg.
So now it's under Chinese control.
Oh, Newegg.
This episode is sponsored by SpyCloud.
With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever. I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you
and your users from account takeover,
session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability
to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or infostealer infections.
Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash Darknet Diaries.
I once had my bicycle stolen.
I was stupid and I left it at the train station for six hours with a cheap lock. I came back and the lock was cut.
The bike was gone.
The first place I looked for the stolen bike was Craigslist.
This is where people sell their old stuff.
And yeah, I'm sure a lot of it is stolen. I didn't ever see my bike again, but it was Craigslist. This is where people sell their old stuff. And yeah, I'm sure a lot of it is stolen.
I didn't ever see my bike again, but it was worth a look.
And there's a similar thing you can do for stolen credit cards like this.
When a big breach like this happens and tens of thousands of credit cards get stolen,
the thieves can't just cash out on that many cards.
I mean, imagine printing 10,000 blank credit cards
and standing in line at a store trying to buy every single $200 gift card you can.
You'd be doing it for months and surely get caught along the way.
So the thieves have no choice but to sell them on the dark markets.
Now, Jonathan knows this.
So after a breach like this happens, he goes on a hunt to try to find where these cards are for sale.
So we don't publicly state which market it is just because there's a lot of ongoing investigations.
This is probably going to be a story that will go on for a long time.
But one of the ways is there weren't any other card sales going up at the time.
And a little bit after BA got cleaned up,
there was a sudden dump of cards.
And whenever these guys put up the sales of cards,
they also list where the cards come from.
So it's important for the people who buy cards
to know where the cards are valid.
Because if you use a U.S. card for fraud in the U.S.,
it will be less noticeable than if you take a U.S. for fraud in the u.s it will be less noticeable than
if you take a u.s card and go to europe in eastern europe and start using it there there will be a
bigger red flag than just using it in the u.s there's a lot of reason for them to want to know
what's going on and when they put up the sale about a week after the egg got cleaned up um
they called it x massive and they had eu, UK, and US cards in there.
They didn't specify how many.
They said high validity, 95%, which usually means it's a recent dump, basically,
because at times cards will be invalidated.
If you sit too long with your card data, cards will get invalidated because people get new cards
or they lose the card, they issue a new one.
There's a lot of reasons, but the validity goes down quite often. This one had a high validity
rate. They said 85% to 95%, which is just pretty high. And then if you look at the countries,
they said UK, US, Germany, Italy, Spain, Canada, France, and a list just went on, which meant it was
a very big international organization.
Now one Intel vendor, which we worked with at the time, decided to pursue some of these
cards and see where they were valid from and where they were used from.
And they ended up linking it to the BA dump and once we got Newegg cleaned up again a week
later they pushed an update they said they had they called it US Eagle it was the name of the
dump they were selling and they said it was half a million cards and they said 90 to 95 percent
validity and that's really really high that's high confidence and they said it to 95% validity.
And that's really, really high.
That's high confidence.
And they said it was a U.S. mix only.
So only U.S. cards.
Now, if you get half a million cards, you need to reach a big organization.
They said nothing about the states or anything, because a lot of times when it's U.S. only, they put in the states of where the cards were from.
They didn't put any of that in.
But again, somebody sampled some of the cards and they ended up being able to link it back to the Newark breach.
It's so much fun to watch the Internet through a lens of how other people see it.
Jonathan can see the history of two billion Web pages and can find what web pages are currently being skimmed and then a week later go and chase down those stolen cards on the dark net. It's quite
an incredible way to see things. He sees what lies just behind the front page. He watches what stirs in the darkness.
It's also fascinating to look at the supply chain of stolen cards.
First, there's a group who does the hacking to get the credit card data,
and then this probably gets sold super cheap to some other group just to post it for sale.
And then that gets in the hands of many people around the world who then use these stolen credit cards to make illegal purchases with it.
And yeah, you might be able to buy a stolen credit card for like 20 bucks and then use it to buy a
$200 gift card, but you have a high chance of getting caught and going to jail over it. Because
this is a serious crime in the U.S. And specifically, the group that tracks financial fraud is the U.S.
Secret Service. Yeah, they also protect the president, but they spend a lot of time chasing down fraudsters too.
They take this stuff very seriously.
And when alerted, they can move very quickly
to try to track down someone who swiped a card
that's known to be stolen.
And I'm sure Niue got to know the Secret Service
very well after all this was over.
Now, Jonathan has been tracking these hacking groups for years.
He calls them Magecart Group 1, Magecart Group 2, and so on. At least seven different distinct
hacking groups are doing this kind of credit card web skimming now. But I can't find any articles
saying that anyone from any of these Magecart groups have been arrested. And Jonathan hasn't
been able to track down anyone to a single person.
Because, as he puts it,
They are criminals.
And in my eyes, if you make something personal,
they will make it personal.
So I don't want to, I personally don't want to know who they are.
But that doesn't stop Jonathan from trying to disrupt them.
He often goes into battle with them.
One of the very interesting groups I have,
or, well, we have, we publish about them a bunch of times.
They're called, we call them Mage Guard Group 4.
And they're a very technically advanced group.
We've been kind of messing with them, taking down their infrastructure from time to time to kind of force their hand to see them, you know, at times mess up just to see if we can get some more insight to them. We've been at this group for a long time.
We took down, I think, about 100 domains initially when we first decided to disrupt them completely.
They set up new domains. How did you take them down? We worked with Shadow Server and FUCH
and with the registrars that have those domains registered.
So we have to prove that whatever's happening on those domains is bad
and it's only for bad purpose.
And with that, they give over DNS control for those domains.
So they move them away from the customers who bought them.
They give DNS control.
And what we did is we sync hold them with Shadow Server,
which is a nonprofit organization, which means that anybody who hits up those sinkholes will end up in Shadow Server reports.
And what happens with those is those are accessible for law enforcement, but they will also be sent out to the owners of the IP space that's affected.
So it's sort of automated reporting on that something happened. So it's one
of the ways that we try to do this reporting of Magecart affected stores and like affected
infrastructure. Because we can't, like I said, we can't scale to contact 17,000 individuals to tell
them that something's going on. So this was one of the ways. So we took down those domains initially,
made sure that, you know, they were syncled through Shadow Server,
that reporting would go out.
Those guys, again, they registered new domains,
we waited a little bit, and we took it down again.
Same thing, they registered new domains,
and they started making mistakes
because we were so actively taking it down
that they were rushed into setting up new infrastructure.
So they started making little mistakes, which made it even easier for us to track them and
track new infrastructure they had set up and slowly piece together links.
But there was a funny side effect to this as well.
One of the things that we're trying to figure out is how we would get to their domains.
And I'm not going to explain it just because it's a really nice trick
that still works.
I don't want them to know how it works.
But we were able to identify
their domains all the time
and take it down.
So what they would do
is they tried to figure out
what part of it was going wrong.
So they would change registrars.
It doesn't really matter for us.
They would change where they were hosting.
But with that,
they were moving through all kinds of IP space that if you looked around a little bit in it,
you would find so much more bad things that 100% of the hosters that they were using,
not per se the people that were hosting the IP space or hosting the servers,
but the people who would sell access to the servers for use were what we would call bullproof hosters or at least criminal hosters.
So by going through all this IP space,
they were telling us exactly where to look.
So slowly they were telling us,
oh yeah, this is another piece of bad IP space
that you should probably have a look
and maybe blacklist a few things, take some things out.
And this continued on.
So up till today,
we still find new infrastructure from them.
We're again waiting a little bit
and we'll probably do another takedown
to just keep forcing their hand
because they're the most advanced group.
We also think they have the best throughput,
not in the sense of 380,000 cards like with BA,
but they're advanced enough
that whatever card gets skimmed
gets put on sale really quickly.
So we think their advancement is also that they have good ways of selling out the data once they get it.
So right now, we can't do anything to them themselves.
We don't know who they are exactly.
They're really good at setting up their infrastructure and making sure it's really hard to link it to anybody at all.
So we're just here to disrupt the whole time in different ways.
Sometimes it's to take down a domain.
Sometimes we take down servers from them just to disrupt them,
to try to stop them from being able to get to more core data.
So how does RiskIQ get money, or how do you get paid?
Because this kind of research isn't really funded by anyone.
We get paid by customers who use our data as a name.
We have different products.
One of the products is that you have raw access or you have a web UI,
which gives you access to our different data sets that you can go through.
We have a product where, like I said, we do this vulnerability tracking,
configuration tracking for companies' websites.
We map infrastructure for companies.
Yeah, we have it all different ways.
We also have people that just buy bulk access
to APIs on our data.
Now you might be wondering as a consumer
or a website owner,
how can you protect yourself
from these mage cart bandits? As a consumer, it's owner, how can you protect yourself from these mage cart bandits?
As a consumer, it's actually, it's really hard.
It's one of the things, we don't have a full answer for it.
The one thing I would suggest is, one of the things I like to do is, on a website where you can pre-store your car data,
for example, one of the places where I still do transactions is Amazon.
I'm very skeptical about every teeny tiny small store I find,
but for the most part, just keep track of the expenses
and keep track of your card.
If there's anything that looks off,
banks are more than happy to reissue.
As for website owners, there's a lot of things. There's the high level stuff like
please don't run ads on a checkout page. There's no need for it. You don't need analytics on a
checkout page. Somebody navigated your website, was able to put stuff in his cart, and is doing
a checkout. He doesn't need much more at that point. And with that, there's also a lot of
technical things you can do. One of technical things you can do.
One of the things you can do, which is called sub-resource integrity, is you can give the
browser a checksum, a hash checksum of the file you will be loading. Now, let's say, for example,
the British Airways one, they would have had SRI on the page, and the attackers would not have
noticed. They would modify the file, the checksum would not have SRI on the page and the attackers would not have noticed. They would
modify the file. The checksum would not have matched and the browser wouldn't even execute
the modified library. That's one. Another one you have is separating the payment process
from the website through something like iframe sandboxing. So the point is just to make sure
that that payment data, the point where somebody is
entering payment data, becomes as isolated as possible.
Nothing should be able to touch it.
The only thing that needs to know about it is the server that's going to process the
payment to authorize it.
So isolating that is mostly key.
And then there's one thing, they're called CSP header.
It's content security policies.
You can basically define where data can come from and go to from your website.
And one of the things is if everybody in the world is really good at setting up CSP headers,
we would have a whole lot less web skimming capabilities
because they send off data to remote servers almost all the time.
And if you set up CSP headers to basically say you can only send
data here, which should be your own website pretty much, they would not be able to send out data and
the browser would not allow the skimmer to send out data to the remote website. Now there's, of
course, caveats to this. One of the reasons why a lot of websites don't run CSP headers or do it
incorrectly is because they want to have ads.
Ads reach out to a remote server who then insert content from another remote server, which you can't know by beforehand because somebody will be running an ad campaign from somewhere.
And it gets really complicated.
So a lot of websites that run ads have a hard time defining strict CSP or content security policies because they just have so much content
coming from everywhere.
So it's, yeah, there's a lot of different ways going through this.
I think the most important part, besides general security hygiene, is putting in smaller barriers
and isolating your payment data.
There shouldn't be, you know, when you're on a payment page, there shouldn't be a whole
lot of extra things happening there.
It doesn't need to look very, very pretty and like movements and animations and all
that.
Make it very simple and isolate the payment data as much as possible.
It sounds like this problem is growing.
It's getting bigger and it's not going away anytime soon. So be safe out there, because online credit card skimming will continue until security improves.
I have some very sad news to add in here at the end.
On January 6th, 2021, Jonathan passed away.
Shortly after I interviewed him, he was diagnosed with cancer.
He put up the fight of his life for 15 months.
He was 29 years old.
I'm saddened from this news, and I already miss him tremendously.
A big thank you to our guest, Jonathan Kleinsma,
for doing so much research in this area and sharing it with us.
You can buy Darknet Diaries shirts and stickers at shop.darknetdiaries.com.
And in case you're wondering, the shop is hosted and ran by Shopify.
I don't have enough time or confidence to run a secure e-commerce website, especially not hearing this story.
So they do all of it for me. I just tell
them what's for sale. So Shopify, I hope you're listening so that you can keep things secure on
my store. The show is made by me, the Crimson Carter, Jack Recider. Sound design was done by
the art connoisseur, Andrew Merriweather. Editing help this episode by the dancing Damien. Our theme
music is by the sizzling Breakmaster Cylinder.
And even though people ask me how to make money on the Darknet every time I say it, this is Darknet Diaries.