Research Saturday 12.21.19
Ep 114 | 12.21.19

Inside Magecart and Genesis.

Transcript

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. To get your copy of the NSS Labs report, visit juniper.net/SecureDC, or connect with Juniper on Twitter or Facebook. That's juniper.net/SecureDC. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:57] And thanks also to our sponsor, Enveil, whose revolutionary Zero Reveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Dan Woods: [00:01:38] So, Magecart is really a word that is used to describe just a whole category of criminal organizations that skim credit card information from the payment pages of websites.

Dave Bittner: [00:01:49] That's Dan Woods. He's VP at Shape Security's intelligence center. Before joining Shape Security, Dan served as Assistant Chief Agent of Special Investigations at the Arizona Attorney General's Office, and prior to that, twenty years in Federal law enforcement with the CIA and the FBI.

Dan Woods: [00:02:05] The way it works is any time your browser loads a payment page – you know, and this is the page where you enter your name, your billing address, your credit card number, expiration, CVV and so on – there's a lot of JavaScript that loads in the background. Some of these payment pages have, you know, ten, fifteen, twenty different JavaScript files that all load. What Magecart refers to is the criminal organizations' attempt to modify one or more of those JavaScript files, so that when it's loaded it is doing something malicious. Specifically, it is taking all the information entered into the payment page and serializing it into an array, and then sending it to some drop site where the criminal organization can then exploit it. So it's really just making changes to the payment page, to the JavaScript, that the owners of the website aren't aware of. And over time, as customers enter in their payment information into that payment page, it is siphoned off and sent to the criminal organization for exploitation.

Dave Bittner: [00:03:21] And so the payment page itself continues to function as the owner expects it would?

Dan Woods: [00:03:27] It does. In fact, even if you looked at the JavaScript being loaded, the criminal organizations have gone to great lengths to make sure that their JavaScript, their changes to that JavaScript, kind of blend in with the existing JavaScript. And we're talking about twenty, twenty-five lines of code. It's not much

Dave Bittner: [00:03:46] Yeah.

Dan Woods: [00:03:46] And, like, the drop site where they will send this information will oftentimes closely parallel the victim website. So, in the British Airways example, you know, "BritishAirways" is their domain or is the website, and the drop site was BAways[.]com. So, victim after victim after victim, the URL of the drop site tries to closely match that of the victim organization, so it takes a really trained eye to look at those JavaScript files and identify that malicious changes have been made.

Dave Bittner: [00:04:25] And by what methods are they going in and making the changes to the JavaScript files?

Dan Woods: [00:04:30] Well, oftentimes these JavaScript files are created by third parties and even hosted by third parties. So they'll attempt to compromise those third parties. So, in the British Airways example, I think it was a JavaScript file served by something called "Modernizr" that they were able to make changes to. So then when the British Airways site loaded that JavaScript file, it also loaded the changes that the criminal organization introduced. So, not making changes to the British Airways infrastructure, but to third parties that the British Airways infrastructure relies upon.

Dave Bittner: [00:05:09] Now, when someone who has fallen victim to this finds out that their website has been compromised, how does that usually play out? What are – are there indications? At what point do they know they have a problem?

Dan Woods: [00:05:24] Well, you know, it depends on the level of attention that these organizations are paying to their runtime environment. There's an organization, Clarity Connect, that was also targeted by Magecart. The administrators noticed that the changes had been made to the JavaScript file, so they removed it. And then they were subsequently added again, and they removed it again. So, what happened is the bad actor sent a message to the administrators – something like, "if you will delete my code one more time, I will encrypt all your sites, you very bad admins."

Dan Woods: [00:06:02] So, you know, it all depends on the level of attention that the victim site is paying to the runtime environment. So, the lesson here, if you're going to protect herself from Magecart, you need to monitor your runtime environment. And if there are any changes, then alerts need to be fired so people can look at those changes and make sure they're authorized.

Dave Bittner: [00:06:26] Can we dig into that a little bit? Can you describe to us – what does that process entail?

Dan Woods: [00:06:31] Well, what happens is, you know, Magecart and other malware like it – they must, you know, hook into the same browser APIs that the legitimate developers do. So when they do that, they're creating a signal or an anomaly that are detectable, but you have to be looking for it in order to detect it.

Dave Bittner: [00:06:50] And is that some of the types of tools that you provide at Shape?

Dan Woods: [00:06:55] Indeed. Right. Anything that negatively impacts our customers, these are problems that we are attempting to solve, including protection against Magecart and malware like it.

Dave Bittner: [00:07:05] Well, let's move on to Genesis. Can you give us a description? What are we dealing with here?

Dan Woods: [00:07:10] Yeah, Genesis is an online marketplace. It's not even on the dark web. It's – anybody can point their browser to it. And it's meant to defeat the "we don't recognize your device" countermeasure that is implemented using browser fingerprinting. And I'm sure you've encountered that before when you go to log into your bank from a new browser, it says, you know, we don't recognize your browser, we don't recognize your device. And then a second factor of authentication is typically triggered.

Dan Woods: [00:07:39] Well, fraudsters, you know, that's an obstacle to them. So they've come up with, you know, a way of circumventing that. So what happens is you have malware that is sitting on a victim's machine, and it's collecting not just usernames and passwords, but it's collecting all the attributes that are used to generate browser fingerprints. So, things like, you know, browsing history, screen size, cookies – a lot of the attributes that a browser fingerprinting countermeasure would use to generate that browser fingerprint is all being collected by the malware and sent up to the Genesis marketplace.

Dan Woods: [00:08:17] And then a bad actor will use a Chromium-based browser and a Genesis security plugin. And what the Genesis security plugin will do is take all that information collected by the malware and turn the Chromium-based browser into a close replica of the victim's browser. You know, and there are probably the last time I checked over 180,000 of these – well, Genesis Marketplace calls them bots, but they're not really bots. It's kind of a misnomer. It's just a collection of usernames, passwords, and browser attributes, cookies, associated with a victim machine. And about 180,000 of these up there.

Dan Woods: [00:09:04] And that may not seem like a lot, but keep in mind, when you buy one, it is removed from the marketplace. And I've just randomly grabbed ten or twenty of these bots to see how long they stay on the marketplace, and they're typically gone within a few weeks, you know, sold to somebody. So, 180,000 of these so-called bots translates to millions of compromised machines collecting usernames, passwords, and browser attributes every few weeks. It's being kind of recycled throughout the marketplace.

Dave Bittner: [00:09:37] And so the notion here is that it's one step that they can use to try to circumvent, say, a call for a second factor in authentication.

Dan Woods: [00:09:47] That's correct. And it's pretty effective, meaning that the information that it collects from the victim's machine isn't just the information needed to generate a browser fingerprint. It has virtually everything about that environment that the bad actor needs in order to circumvent that countermeasure.

Dave Bittner: [00:10:12] And again, in terms of prevention, if I want to keep these sorts of bits of information from being harvested from my machine, what are your recommendations?

Dan Woods: [00:10:21] Well, you know, we protect our customers from Genesis by detecting it in the data that we collect. We know when Genesis is being used. But from an individual's perspective, how they protect themselves is simply by not clicking links arbitrarily. You know, a lot of this malware is installed as people are just, you know, visiting questionable sites, clicking links, downloading email attachments and executing them without being cautious. It's a tough problem to solve, because generally the typical user is rather careless when it comes to computer security countermeasures.

Dave Bittner: [00:11:03] You know, before I wrap up with you, I want to talk a little bit about some of your background. You have an interesting professional history. You spent time in the Arizona attorney general's office. You had a lot of a fraud investigation there. Can you take us through – what was that experience like?

Dan Woods: [00:11:21] Before the attorney general's office, I worked as an FBI agent in Washington, DC. And I loved that job. It was a great job. But there was always the risk that you could be transferred to a field office that wasn't conducive to your personal family life. What I liked about the attorney general's office, it was just like my job at the FBI – that is, I was investigating white collar crime and fraud and computer tampering, money laundering, the kinds of things I love to investigate – but there was no chance that I could be transferred to, you know, some other state. It was – I could just focus on my work and have a good family life.

Dave Bittner: [00:12:02] And so, what kinds of things were you tackling there, particularly in the cyber domain?

Dan Woods: [00:12:07] Well, a lot of the computer tampering cases that I investigated involved typically a rogue IT person who would exceed his or her access or authorized access in order to do something malicious. And then, you know, one thing that I learned early on in my career is that even though, you know, I'm an engineer by – a computer engineer by education, and oftentimes people say, you know, computer engineering and law enforcement don't seem to overlap, so why did you study computer engineering and then go into law enforcement? And it actually does overlap quite a lot. It isn't just computer tampering and computer hacking cases that require technical skills. I probably use my engineering education and my computer expertise on every single case, whether it be a drug case or, you know, it could have been a burglary, because oftentimes these cases involve digital evidence. And, like, a computer is seized and emails are extracted. So understanding email headers and how to geolocate somebody, understanding, you know, how useful or useless an IP address can be in attempting to identify the perpetrator. All of these things are important for virtually every type of investigation, not just computer crimes.

Dave Bittner: [00:13:35] Now, from your perspective, the time you spent in all those investigations, are there areas where you think people are generally falling short? I mean, do you have general advice from the time you spent sort of on the inside of those sorts of investigation – things that people should be doing that perhaps they're overlooking?

Dan Woods: [00:13:54] I think without fail, it's leadership's inability or unwillingness to give it the funding and the priority that is needed. It's typically not funded well, not staffed with experts because they don't want to pay for experts. And then they're victimized and they wonder why. And you can see this play out across – I mean, just read the papers and you'll see the people with the very best cybersecurity posture, with the best staff, are typically those who a few years earlier encountered huge breaches and lost, you know, hundreds of millions of dollars in brand value because of very public breaches. Unfortunately, people are waiting until there is a breach, until their customers are victimized, until their brand is damaged, before taking cybersecurity seriously.

Dave Bittner: [00:14:52] You know, I've heard in conversations I've had with other folks at the FBI that a lot of times it's been their experience that people are hesitant to reach out to the FBI or law enforcement – that, you know, they're embarrassed or they don't want the publicity. Do you have any insights there? Is that a a good line of thinking, or should they overcome that and reach out?

Dan Woods: [00:15:15] Well, I think they should overcome it and reach out. But FBI hasn't helped itself by, you know, those companies who do reach out, there is oftentimes, you know, public exposure of the information. So, FBI needs to do better at protecting the companies that are coming forward. And the companies need to, I think, come forward more often. So both are at fault there.

Dan Woods: [00:15:41] I think one thing that companies can do more of that they're not doing is reaching out to their victims. For example, we talked about Genesis and the malware collecting all of these usernames and passwords. Well, right now, what customers will do is just reset the password. Well, that's kind of a fool's errand, because there's malware on the victim's computer. The bad actor will just get the new password once the malware collects it. So, the better course of action is to reach out to the victim and say, hey, you have malware on one of your computers, you know, we'd like to get a copy of it so that we can understand it. We'd like to know, did you click on any links recently? Did you get any phishing emails or text messages? There's a lot of intelligence that could be gathered simply by reaching out to these victims, but nobody's doing it. They're just continuing to reset passwords and hope that, you know, the victim is is protected.

Dave Bittner: [00:16:46] Our thanks to Dan Woods from Shape Security for joining us.

Dave Bittner: [00:16:52] Thanks to Juniper Networks for sponsoring our show.

Dave Bittner: [00:16:55] You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.

Dave Bittner: [00:17:01] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.

Dave Bittner: [00:17:09] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.