Follow ISA on LinkedIn to get notified of the latest cybersecurity news.
Fake social media buttons delivering payment card skimming malware
Sansec, a security company that specializes in eCommerce malware and vulnerability detection, has released a study and report identifying new payment card skimming malware. According to the report, hackers are “hiding in plain sight” by gaining access to online retailer websites, and then placing fake buttons on checkout and e-commerce pages. The embedded malware masquerades as common social media “share” buttons like Facebook, Instagram, Facebook, Pinterest, and Twitter on the targeted websites. According to a follow-up report by security website Threatpost, some 37 unnamed online retailers have been infected so far.
Once in play, the malware behaves much like “Magecart” skimming malware, which relies on the user’s computer to trigger code in order to collect personal and financial information. Alarmingly, the user doesn’t even need to click the “Share” button in order to activate the malware.
The malware buttons are reportedly well-constructed, using common terms and structures making them difficult to distinguish from the real thing. This makes the malware particularly difficult for scanning and detection software to identify. The attack package is also constructed in a two-part payload – encrypted malware code, coupled with a separate block of decoding malware that reads and executes the malware. This separation of duties in the payload makes it even more difficult for malware scanning to pinpoint suspicious code.
PwC releases Global Digital Trust Insights 2021 report
PwC has released the results and analysis of their annual global cybersecurity survey. This year’s online survey reached 3,249 business and technology executives around the globe, including 100 Canadian participants.
Some key highlights of the survey, which was conducted in October 2020:
+ 56% of Canadian respondents (55% globally) expect to budget more for cybersecurity in 2021
+ Only 34% of Canadian respondents (44% globally) said they were confident that their cybersecurity budgets are being spent correctly
+ Just 3% of Canadian respondents (4% globally) said they did not expect COVID-19 to have an impact on the cybersecurity in their specific industry
+ The top three cybersecurity approaches that provide the most benefit for Canadian organizations surveyed are SOAR (security orchestration, automation and response) at 19%, improved IAM (identity and access management) at 17%, and integrated cloud/network security at 17%
+ Overall, companies surveyed felt that cloud services were the most likely target for cyberattack, but presented less of an impact than direct attacks on critical business services
The survey recommended five cybersecurity themes to consider and implement for 2021 to move “your organization to the next level”
1) Reset your cyber strategy – the pandemic has illustrated that business transformation can take place faster, and on a broader scale, than previously imagined
2) Rethink your cyber budget – businesses are seeking more alignment of cybersecurity investment with business growth and risk management
3) Level the playing field with attackers – the report emphasized that it is important to consider emerging security technologies and techniques to keep pace with advances by cyber criminals
4) Build resilience for any scenario – the report illustrated approaches for reviewing the likelihood and impact of potential attacks, then assessing your investments in those areas, as well as your preparedness and resilience for those scenarios
5) Future-proof your security team – the right blend of hiring, training, and strategic use of managed services is key for the long-term success of your cybersecurity program
Egregor ransomware hits three more major targets
The Egregor ransomware group reportedly registered successful attacks against U.S. discount retailer Kmart, global leader in temp staffing Randstad NV, and Vancouver’s transit system, all within the last several days.
The group was first identified in September 2020 when it compromised 15 target companies, followed by an additional 51 victims in October 2020. By mid-November, another 21 major targets had been reported. These attacks included breaches at bookseller Barnes & Noble and video game studio Ubisoft, as reported previously in ISA Cyber News, representing incidents across at least 19 different industry verticals. The attacks on Randstad and the Vancouver transit system may indicate a sinister new direction for the group, as over 80% of previous attacks were on US-based targets.
Some analysts have speculated that the significant increase in the group’s activities can be traced to the shutdown of the Maze ransomware operation in October 2020. The pattern of attack is similar to that of Maze: Egregor’s model also involves exfiltrating data for extortion while encrypting systems for ransom – a potentially devastating blow for victim organizations. Egregor attacks often leave a ransom note instructing victims to use the dark web browser TOR to reach out to the criminals within three days. If the victim fails to comply, corporate data is slowly leaked out to the so-called “Egregor News” data leak site on the dark web.
The impacts of this week’s attacks illustrate the seriousness of the breaches. Kmart, already in financial difficulty and closing stores across the U.S., saw many of its back-end systems and services shut down by the attack. The 88sears.com site – a corporate intranet site – was also offline due to the attack. To date, Kmart has not officially acknowledged the widely reported breach.
In Vancouver, while transit services are still running, most back-office functions were shut down, including phone systems, payroll, vending machines and payment systems (since restored), and a variety of online services. A Twitter statement from the transit authority sought to reassure patrons that no personal financial data had been compromised.
Meanwhile, Randstad’s network breach disclosed unencrypted corporate, legal, and financial documentation. Over 3 Gb of materials are believed to have been stolen. A statement by Randstad advised that, while only a limited number of servers were affected and operations are continuing, data related to their operations in the US, Poland, Italy, and France were compromised.