Harry Potter and the Magecart skimmers

Hi and welcome to another Security weekly. Where we laugh, we cry and share the latest and greatest in security and tech news.

In this week's edition:
🪄 Harry Potter and the Magecart skimmers
📄 PaperCut exploit, stop the bleeding early
❓ Disable User Explains: Web Skimming
🔥 the quick and dirty

Reading time: 03:14

Harry Potter and the Magecart skimmers

As I said, ‘t was a rather slow week. Some stuff happened, but nothing really interesting to write about.

And it’s my promise to you that every week is - at least - interesting.

But then, as I was scrolling, I came across this neat picture:

So let’s be honest here. If this doesn’t inspire you to write, what does?

The article in question was about Magecart, and how there’s an increase in Magecart attacks. (as you can see, the picture is literally a mage in a cart. Brilliant)

So what is this illusive ‘Magecart’?

Magecart is an umbrella term for a group of hackers who steal personal data from websites that accept online payments. They target customers in their check-out phase, hence the ‘cart’.

The attacks rely heavily on Javascript, so you might also see them refered to as JS Sniffers.

The attacks are bad for both the customer and the company:

• Customer - information theft. I don’t know about you, but I don’t like my payment/personal information in the hands of hackers.

• Company - reputation damage. Just like with other breaches, when a company has to come out with a breach, this will have impact on their customer relations.

• Company - Legal action. Companies who manage payment information of their customers are uphold by high standards like PCI DSS. You can bet they’ll get an audit once the news spreads about the breach.

While attacks may be on the rise, Magecart is far from new.

In 2018, British Airways was hit in a Magecart attack.
Leaving 380.000 victims with their credit card information in the hands of thugs.

The worst (or best, ‘t is how you look at it) part about this attack was that during the investigation, it came to light that BA had been storing payment information from customers in PLAIN TEXT.

So here I am, teaching you guys & gals to use different passwords. To have proper security hygiene. To use a password manager.
And what does British Airways do? Plain text baby, couldn’t care less.

Now the good stuff. How do you prevent this from happening?

I’m going to be brutally honest here:

You can do what you want, but if the company who handles your payment doesn’t do their due dilligence.. you’re pretty much f#cked.

But, as always, do what you can:

• Only use trusted sites - but given the British Airways example, who is trustworthy?

• Block JS on untrusted sites - or just block it all together. Horrible.

• Use a good antivirus with browser protection - they’ll aid you in blocking untrusted sites and weird redirections

• Stop using online payments? I tried, lasted about 38 minutes.. <title of my sextape>

PaperCut exploit, stop the bleeding early

Microsoft revealed that recent attacks on PaperCut servers were conducted by ransomware operations known as Clop and LockBit.

As if printers aren’t a pain in the butthole as they are, now their software is dangerous as well.

The vulnerabilities, CVE-2023-27350 and CVE-2023-27351, allowed remote code execution and information disclosure.
PaperCut fixed these vulnerabilities and urged administrators to update their servers.

Our trusted pal Microsoft now came forth, attributing these attacks to the Clop and LockBit ransomware gangs.

Although it’s unclear wether LockBit really had anything to do with it, or just profited of the Cl0p’s succes.

As always - if you haven’t already - make sure your applications are up-to-date.

If you’reusing PaperCut MF or NG, you should immediately update to versions 20.1.7, 21.2.11, or 22.0.9.

Web Skimming

An attack where the attacker injects malicious (JavaScript) code into a website and extracts data from an HTML form that the user filled in.

Like I said earlier, the most common scenario is the extraction of payment information from the shopping cart. Hence Magecart.

Anyone know where the mage part is coming from though?
Or did they just like the cool picture and decided to go with it?

I would.

The quick and dirty

• Google Bans 173,000 Bad Developers in 2022 - Infosecurity Magazine - I’d prefer they’d refer to them as ‘naughty’, just to spice things up

• Google will add End-to-End encryption to Google Authenticator - that and being able to back-up 2fa to the cloud. Good stuff, Google.

• New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets - mAc HaS FeWeR ViRuSeS

• Meme of the week