Social Engineering

Hiding Malware in Social Media Buttons

Clever tactic:

This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container.

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

This tactic increases the chances of avoiding detection even if one of the two malware components is found since the malware loader is not necessarily stored within the same location as the skimmer payload and their true purpose might evade superficial analysis.

Three Areas to Consider, to Focus Your Cyber-Plan

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

APT10 Stone Panda – Operation Cloud Hopper – Social Engineering

APT10 Stone Panda – Operation Cloud Hopper

On 3 Apr 2017, the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda.

  • APT10, are operating a campaign called ‘Cloud Hopper’, which is actively targeting Managed Service Providers (MSPs) in order to steal their client’s NCSC has stated UK MSPs were known to be infiltrated, however they are not naming them.
  • The Cloud Hopper campaign focuses on sending malware infected emails to staff at Managed Service Providers (MPS). Once executed the malware creates a backdoor which allows the attacker remote access to the MSP’s backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to tailored malware which is undetectable by anti-virus and security monitoring
  • PwC and BAE Systems have been assisting NCSC and have produced a list of IP addresses and MD5 hash files associated with Cloud Hopper attacks. These can be used to detect (scan) and prevent (monitor) against the Cloud Hopper