• Skip to main content

ITSecurity.org

Technology Security Controls

  • Main
  • Products
  • Services
    • Compliance-Services
      • ISO27001 Compliance
      • ISO22301 Compliance
      • ISO27002 Compliance
      • Data-Protection
      • GDPR
      • PCI-DSS Services
    • Identity and Access Management Services
      • IAM Design
      • IAM Policies & Standards
    • Incident Management Services
      • Emergency Incident Response
      • Forensic Support
      • Incident Response
    • Information Security Services
      • Information Security Consultancies
      • Information Security Governance Services
      • Information Security Policies & Standards
    • IT Risk Management Services
      • Risk Management Framework
      • Auditing
    • IT Security Consulting Services
      • IT Security Governance Services
      • IT Security Policies and Standards
    • Additional Security Services
      • Managed Security Services
      • Mobile Security
      • Network Security Services
    • Physical Security Services
      • Physical Security Reviews
    • Policies and Standards Services
    • Programme and Project Services
    • Risk Management Services
      • Risk Management – Framework
      • Risk Management Acceptance & Waivers
    • Security Awareness Services
      • Security Awareness – Phishing Responses
      • Phishing Responses
      • Security Awareness Training – Rebranded Security Training
      • Security Awareness Training – Generic
    • Security Design Services
      • All Security Design and Architectural Services
      • Cloud Security Review
      • Security Appliance Design and Configuration
    • Security Metrics Services
    • Technical Security Assessment Services
      • Penetration Testing – Our Penetration Test Services
      • Database Security – Databases and Repositories
      • Application Security Code Testing
      • Application Security Services
    • Third-Party and Supplier Assurance Services
      • Third and Supplier Party Assurance Methodology
      • Third and Supplier Party Assurance Review
      • Joint Venture Due Diligence
  • Security Digest
  • FAQ
  • Contact Us

Social Engineering

Hiding Malware in Social Media Buttons

December 7, 2020 by ITSecurity.Org Ltd

Clever tactic:

This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container.

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

This tactic increases the chances of avoiding detection even if one of the two malware components is found since the malware loader is not necessarily stored within the same location as the skimmer payload and their true purpose might evade superficial analysis.

Filed Under: credit cards, IT Security, Malware, Social Engineering, social media, Uncategorized

Three Areas to Consider, to Focus Your Cyber-Plan

November 22, 2019 by admin

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Filed Under: budget, cybersecurity, DNS, InfoSec Insider, IT Security, justin jett, network monitoring, Phishing, plixer, preparedness, rogue employees, Social Engineering

Humble Bundle alerts customers to subscription reveal bug

December 4, 2018 by admin

Humble Bundle alerts customers to subscription reveal bug

Filed Under: 2-Step Verification, 2fa, Breach, bug, Cybercrime, games, gaming, humble bundle, IT Security, phish, Phishing, Social Engineering, spear phishing, two-factor authentication, video games

APT10 Stone Panda – Operation Cloud Hopper – Social Engineering

December 4, 2017 by admin

APT10 Stone Panda – Operation Cloud Hopper

On 3 Apr 2017, the National Cyber Security Centre (NCSC) briefed major UK businesses about a significant Chinese Cyber-Espionage Threat called APT10, also known as Stone Panda.

  • APT10, are operating a campaign called ‘Cloud Hopper’, which is actively targeting Managed Service Providers (MSPs) in order to steal their client’s NCSC has stated UK MSPs were known to be infiltrated, however they are not naming them.
  • The Cloud Hopper campaign focuses on sending malware infected emails to staff at Managed Service Providers (MPS). Once executed the malware creates a backdoor which allows the attacker remote access to the MSP’s backend systems. From there the attackers are able to navigate the MSP network and identify external connections with the MSP clients, which are their actual targets. These network channels are then used to steal data from those clients, data which is packaged and exhilarated through the MSP remote connection. These backdoors are known to remain undetected for months, due to tailored malware which is undetectable by anti-virus and security monitoring
  • PwC and BAE Systems have been assisting NCSC and have produced a list of IP addresses and MD5 hash files associated with Cloud Hopper attacks. These can be used to detect (scan) and prevent (monitor) against the Cloud Hopper

Filed Under: Social Engineering

The role of Social Engineering media in society

November 20, 2016 by admin

The role of Social Engineering media in society

Filed Under: Social Engineering

The Impacts Of Social Engineering Media In Everyday Life

November 14, 2016 by admin

The Impacts Of Social Engineering Media In Everyday Life

Filed Under: Social Engineering