Q&A: Researcher who found ABS-CBN breach on detecting skimmers
MANILA, Philippines – Last Wednesday, September 19, a report came out that the ABS-CBN and the UAAP online stores have been the victim of a major hacking scheme.
A malware was embedded on the websites, which harvested credit card data upon user checkout.
The malware had been on the website on or before August 16, 2018 (the date of the most recent update), meaning that it had been harvesting data for at least a month before being discovered by De Groot.
That also means that for at least a month, the malware went undetected, unfettered from doing its nasty work. How was it embedded in the first place? How come something like that can go undetected for a period of time? Is there anything a user can do to detect if something is awry by themselves? In an email interview, De Groot offers a few answers to these questions.
Q: How are these things embedded onto websites? By theory, they're almost like physical skimmers being attached onto ATM machines.
Willem De Groot: Exactly. Criminals break into a store, usually by "guessing" the administrator password (they automatically try millions of possible passwords during several months). And then they add their hidden skimmer.
Q: Are there ways for people to know that an e-commerce site might have been the victim of such a malware injection? Are there signs to look out for?
WDG: For regular users it is quite impossible to detect. Even experienced developers have to know what to look for.
Because nobody notices, many e-commerce sites get hacked and then silently fixed after a couple of months. People generally won't know about it. According to my own research, one in three online stores has been hacked at least once since 2015.
My advice for online shoppers: assume that everything you do online, will get leaked eventually. So don't shop online for privacy-sensitive items.
Q: What is the point then of https if there's a way that seems so simple in order to circumvent it?
WDG: Https protects against other classes of attack, but it isn't a solution to everything, clearly.
Q: How come a third-party entity such as yourself can spot a malware while those who actually run the website seem to have missed it? If you hadn't found it – as in the case of many other at-risk e-commerce sites – the malware could have gone undetected for a longer period of time, and put more customers at risk.
WDG: Well, I do make a living researching and discovering new malware. I guess the ABS-CBN people [haven't] allocated enough resources to replicate this effort. However, I sell my research to large organizations who use it to protect their customers.
Q: Is it normal that malware like this could go undetected for this amount of time? Or could the site administrators have done more and been more vigilant? Do you think they could have detected the ABS-CBN malware faster than you did had there been certain cybersecurity measures or processes in place – or are these schemes just too clever now for even the big companies?
WDG: No site is 100% secure, but there are certain measures to make it harder for attackers. In this case, it would have helped to enforce strong passwords, apply all security patches and subscribe to threat intelligence such as my research.
Q: What's the skimming success rate of the malware you discovered in the ABS-CBN store? Do these skimmers usually have a 100% success rate? Did every transaction net credit card info for the skimmer?
WDG: Every customer who paid with credit card had their card transmitted to Russia. I cannot remember if they offered other payment methods. [If they did], they were possibly exempted from the fraud.
Q: You said that most e-commerce site breaches are silently fixed without people knowing of the hack. This seems worrying. What do you think of this certain lack of transparency?
WDG: I think ABS-CBN did act quick and professionally after they learned of the compromise. They set a good example for other e-commerce ventures who are confronted with a breach.
For other cases however, there is a reason that – for example, the new European GDPR laws contain such a hefty maximum penalty for culpable privacy breaches.
It is very hard or impossible to track offenders, so law enforcement has to use scare tactics. – Rappler.com