Magecart and web skimming tools on the dark web

Magecart and web skimming tools on the dark web

I recently presented a webinar on 7 common web application security attacks and what organizations can do to protect themselves. During one section, I spoke about botnets and their role in distributed denial-of-service attacks. I referenced an attack against a prominent IT security researcher, Brian Krebs, presumably initiated by people who didn’t necessarily agree with what he was writing about.

After the webinar, I was asked how easy it would be for an individual to initiate a botnet attack against an organization that they took issue with. The answer to the question is that it is remarkably simple — providing you are willing to do business in some less than legitimate places and have some cryptocurrency.

On-demand webinar7 common web application security attacks and what you can do to prevent themWatch now

Kissing the ring browser

Organized crime is nothing new, and neither is criminal activity for hire. Before the Internet, if you needed something less than savory done, you needed to know a guy who knew a guy, but today, you can use a special web browser and get everything from cannabis seeds to a hitman right from the comfort of your couch.

Almost everyone has heard about the dark web and how it is a place where the worst parts of the Internet are kept. There are many statistics that say between 75 to 95 percent of the Internet is inaccessible from regular browsers, and while this is true, most of the time, these statistics are talking about the deep web, not the dark web — and there is a difference.

Regardless of the numbers, if someone is set on performing a botnet-based denial-of-service attack against an organization, there are marketplaces where they can go and purchase the services required to perform it.

The deep web and the dark web

There is a difference between the deep web and the dark web. The deep web is basically referring to the section of the Internet that is not intended to be open to the public. Many organizations have services, data stores, and other resources online that aren’t open to anyone but their internal teams. These types of resources outnumber public websites or applications —  and this is what is known as the deep web.

The dark web, on the other hand, is a subset of web resources that are only accessible through a special network known as the Tor network. The Tor network is intended to be an anonymous network, allowing users to interact with complete privacy. While the network certainly has its benefits, such as allowing journalists in countries with strict censorship laws to be able to publish, it can also be used to provide,  marketplaces for obtaining illicit goods. 

On-demand webinarWhy security teams need a Magecart planWatch now

When connected to the dark web, it becomes possible to access sites ending with the .onion top level domain name. It can still be difficult to gain access to the more sinister parts of the dark web since many are hidden behind further proxies, but there is still an abundance of marketplaces and search engines readily available to use.

Even with governments taking an active role in closing down these illicit marketplaces, the sheer anonymity of the dark web means that as soon as one is closed down, new versions are quickly created and brought back online.

Connecting to the dark web

In the early days of the Tor network, connecting to the dark web was a complex process that required at least some technical knowledge. Today, however, with the growing interest in online privacy, this is no longer the case and it’s a simple as downloading an application.

The Tor browser is the most popular of the many browsers available for accessing the private network. The browser is a modified version of Firefox with additional capabilities specifically for the Tor network. Connecting to the dark web is as easy as downloading the browser application and running it - one should be waned however if curious, there is some extremely disturbing content within easy reach when navigating around the dark web sites.

Once connected to the Tor network, sites such as The Hidden Wiki can be used as a jumping point to become familiar with the various content available

Magecart data skimming software for purchase

With the number of dark web marketplaces and hacker-for-hire services out there, it has become easy to purchase zero-day exploits, ransomware, and even the credit-card skimming code used by Magecart groups.  For example, one service offered an online tool which allowed the generation of unique credit-card skimming JavaScript so as to avoid things like antivirus detection — all for a fee in bitcoin.

The disturbing truth is that the dark web is easy to access, and hacking tools are easy to obtain — and the payouts are big. As a result, there is a high likelihood that eCommerce will experience a rise in Magecart-style web skimming attacks. As more people realize how simple it is to pull off skimming attacks, we expect the attacker profile to evolve beyond the small, but well-managed, hacking groups that are responsible for Magecart attacks at the moment.

Be prepared to fight data exfiltration

Data skimming attacks can have far reaching consequences for organizations, including brand damage, fraud, and GDPR related violations. It’s imperative that businesses prevent data exfiltration, but it’s easier said than done. Skimming attacks are especially difficult to detect and avoid due to the fact that they take place at the browser meaning there is no traffic to inspect in usual places such as server logs. When a skimming attack in deeply embedded in regular code, it can be weeks before it is discovered.

Instart provides a layer of security that enables organizations to protect their website visitors from data exfiltration even if the website suffers a web skimming attack. Instart Web Skimming Protection blocks scripts and other non-critical tools from accessing sensitive data entered into forms, only granting access to domains or scripts that have explicit permission.

Learn more about how Instart stops attackers from accessing sensitive data in formsRequest a demo