Stealthy Malware - An Evolving Landscape

A noteworthy and somewhat expected trend is emerging within the eCommerce cyber security world: a shift towards stealthier strategies to conceal eCommerce skimmers. These tactics include:

• Targeted Malware: Malicious software that zeroes in on specific phases of the checkout process, making it exceedingly difficult, if not impossible, to detect through conventional scanning methods.
• Randomization in Skimmer Code: Skimmer code that activates intermittently, complicating detection efforts.
• File Obfuscation/Encryption: Utilization of innocuous-looking, heavily encoded files that mimic trusted ones.
• Malware Appended to Trusted Files: Popular platforms like Google Tag Manager are not immune, as criminals attach malware to seemingly safe files.

This trend towards more "stealthy malware" has been evolving over the past year, marking a logical progression from the more overt "Magecart-like" malware that plagued vulnerable websites in recent times.

While the numbers of hacked sites with card harvesting malware remains high, these stealthier methods afford criminals prolonged access ("dwell time") to websites, allowing for the extraction of a substantial amount of personally identifiable information (PII) and payment data from unsuspecting customers of the hacked websites.

How to Defend Against These Attacks

To defend against these attacks, implementing basic security measures is crucial:

1. Conceal Admin Panel: Avoid being the low-hanging fruit by relocating the Admin login to a discreet URL and restricting access to trusted IP addresses, making brute force attacks far more challenging.  24% of the hacked Magento 1 and 2 sites globally have an exposed Admin login, making it relatively easy for a criminal to brute force their way into these websites.
2. Individual User Accounts: Enforce separate user accounts for each user, enabling swift identification of compromised accounts and facilitating damage limitation.
3. Two-Factor Authentication (2FA): Enhance security with a second layer of authentication, such as Google Authenticator, to thwart brute force attacks and credential compromises.
4. Update Your Software - when a software solution issues a security patch, the security vulnerability is usually well documented and publicly available. In other words, there is likely to be a well documented, "paint-by-numbers", guide on how to exploit the vulnerability. This means that if you're slow to apply the patch, you're an easy target and should expect problems.
5. Continuous Security Monitoring: Employ tools like ThreatView to proactively assess your website's security posture and identify potential weaknesses, mitigating risks before they escalate. Access the ThreatView Community for free at www.turacolabs.com/Scan.

In the ongoing battle against cyber threats, proactive security measures are imperative. Our team has had an interesting year so far. Aside from the steady flow of eCommerce site investigations involving the standard Magecart-type skimmers, a "collection" of new types of malware have been identified, documented, "fingerprinted" and loaded into our technology to help defend our clients globally.

Recent additions to our malware fingerprint database over the past nine months include:

• Skimmers: 58%
• Loaders: 12%
• Backdoors/Webshells/File Uploaders: 30%
  

As criminal tactics evolve, staying ahead of the curve with robust security protocols can significantly safeguard your business from potential breaches and ensure sustained success.

‍