Beware of Skimmers and Infostealers Targeting E-Commerce

A growing number of cyberattacks were discovered targeting retailers and online consumers as summer sales heat up. Though the holiday season remains the most profitable time for retailers, sale events are often launched in the slower summer months to increase revenue. Consumers often take advantage of these summer sale events including semi-annual sales; Independence, Memorial, and Labor Day sales; Father’s Day and graduation gifts; back-to-school sales, and Christmas in July sales.  Akamai researchers identified a new, large-scale, Magecart-style web skimming campaign, designed to steal personally identifiable information (PII) and credit card information from e-commerce websites. Distinct from traditional Magecart campaigns, however, this campaign uses new techniques to hijack legitimate commerce websites in order to serve as improvised command-and-control (C2) servers, using the host victim’s website to further facilitate malicious code distribution.
Cybercriminals use various evasion techniques during the campaign, masking the attack to resemble popular third-party services and allowing it to go undetected for over a month. This attack may potentially exploit known vulnerabilities found in websites’ digital commerce platforms such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. These attacks cannot be detected by popular web security methods, such as web application firewalls (WAFs), and are executed on the client side, prolonging the attack. This may result in tens of thousands of victims and damage the reputations of victimized organizations. Additionally, consumers’ PII and credit card information are at risk of being stolen or further sold on dark web forums.
Threat actors are also targeting online sellers in a new phishing campaign to distribute Vidar information-stealing (infostealer) malware. They impersonate a customer of an online retailer claiming that they were charged a large dollar amount after an alleged order did not go through. These complaints are sent to online store administrators via email or website contact forms and contain a link to a fake Google Drive page that prompts the user to download a malware-laden PDF file. Threat actors target online sellers to steal admin credentials in order to gain access to eCommerce websites and facilitate further cyberattacks.
Infostealers are remote access trojans (RATs) designed to gather information from a system. Infostealers gather login information, like usernames and passwords, and are frequently used to further facilitate ransomware attacks. The NJCCIC and other cybersecurity firms have indicated a steady increase in attempts to distribute infostealers, such as Redline Stealer, Vidar, and Raccoon Stealer. Vidar is capable of stealing browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and capturing screenshots of the active Windows screen. Redline Stealer is a powerful data collection tool, capable of extracting login credentials from a wide range of sources, including web browsers, FTP clients, email applications, Steam, instant messaging clients, and VPNs. Raccoon Stealer steals personal information, including email addresses, identification numbers, bank account information, and cryptocurrency information. Cybercriminals can use this stolen information to commit identity theft, financial fraud, and other crimes.