Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months

Tuesday 19th May 2020 10:03 GMT JakeMS

Wait

How did they not notice this?

Websites which collect card data (my own incl) deploy many security methods to ensure precisely this does not happen.

One of the many methods that we (and most others) use is an Intrusion Detection System (In my case, as a small business owner, Tripwire on Linux), this monitors for filesytem changes, including monitoring the websites files.

This means, if a PHP file is edited, via an exploit or other hack then that file will immediately flag up on the IDS.

This hack absolutely should have been spotted immediately on their IDS, how did they miss this for so long?

4 0 Reply
1. Tuesday 19th May 2020 10:12 GMT <script>alert('the register');</script>
  
  Re: Wait
  
  A website that only has around 3,500 customers in the space of 8 months probably isn't being updated anywhere near as much as you'd hope.
  
  8 0 Reply
2. Tuesday 19th May 2020 10:14 GMT IGotOut
  
  Re: Wait
  
  It's seems they may of doing the right thing and employing an outside company to check out their systems.
  
  So the question is why didn't they pick it up?
  
  3 1 Reply
  1. Tuesday 19th May 2020 11:49 GMT Captain Scarlet
    
    Re: Wait
    
    The issue here appears to be when Paypal is called, so unless the company is doing test orders and clicking Paypal the js is never loaded (Services like Qualys WAS).
    
    If the sourcecode files are scanned, as its offsite the scanner has to scans this external URL (I don't know if there is such an app or service to support this?).
    
    2 0 Reply
3. Tuesday 19th May 2020 12:20 GMT Steve 53
  
  Re: Wait
  
  To be fair, they're using Paypal, not processing their own cards. The expectation is that paypal will take care of the security / PCI-DSS as the retailer will never handle to card details. Frankly Paypal shouldn't be offering the option to load in an iFrame - ie an environment they don't control the Javascript for
  
  5 0 Reply
4. Tuesday 19th May 2020 13:29 GMT Anonymous Coward
  
  Re: Wait
  
  An IDS can do many things. However if the file in question was loaded via a path thats not scanned by the IDS, or was uploaded via a method thats legitimate, or was using an exploit that there were no signatures available for at the time of exploit it would never have been able to pick it up. No security system is infallable. You can't just drop in a firewall and/or an IDS and say there you go, we're all secure. Given that there is no detail as to how this malicious code was uploaded to the site in question all we can do is speculate, what we do know however is the compliance company missed this at least twice. I'm guessing that the company in question is conducting a forensic investigation to understand how this happened but I'd be surprised if they release that information to the public.
  
  2 0 Reply
  1. Tuesday 19th May 2020 13:58 GMT JakeMS
    
    Re: Wait
    
    It sounds like it was a php file that was put or edited on their server, you can easily configure an IDS to detect this.
    
    The website files should be monitored, so that - any - file edited, removed or added is noticed. There is no reason this cannot be done. I do this on my website. Tripwire knows the website paths (along with being tailored to the system files).
    
    Even adding product images trips it in the images category and gives me a list of images added.
    
    If our custom stripe integration is touched in anyway tripwire will see it.
    
    Put bluntly, If someone can upload a file to your site, without your knowledge then your environment is not secure enough to collect card data.
    
    2 0 Reply
Tuesday 19th May 2020 10:23 GMT Headley_Grange

Quarterly

I'm no expert in this, but is a quarterly check normal/adequate for this level of security?

2 0 Reply
1. Tuesday 19th May 2020 11:00 GMT mikepren
  
  Re: Quarterly
  
  Given that it was operating over 8 months and hence I assume two scans, I'd suggest the frequency wasn't the issue.
  
  To be fair to the scanning company, you need to understand the terms of reference they were engaged on.
  
  2 0 Reply
2. Tuesday 19th May 2020 12:07 GMT Version 1.0
  
  Re: Quarterly
  
  Regular checks are normal but the malware is probably designed to not be seen in a casual check unless someone downloads everything and walks through the code line by line and understands it. The people designing the malware are not stupid; yes they are criminals but this is the Internet, it's common.
  
  The real question is, so we've found this one - how many more are there out there?
  
  2 0 Reply
Tuesday 19th May 2020 10:58 GMT Anonymous Coward

I had no idea they had an online shop...

I'd have thought most people buying Paramo clothing would (under normal circumstances) be buying from physical stores. If you're paying their prices, it's nice to know the coat will fit. (Saying that, I doubt they've sold very much at all in the last couple of months, given that it's for use out on the hills....)

Paramo is like marmite... you either love their stuff, or you hate it. For the record, I'm in the "love it" camp, but my wife hates it and prefers Goretex coats. (Paramo optimises breathability of the fabric whilst keeping it waterproof(ish), Goretex optimises the waterproofness whilst making it breathable(ish). Different people want different things in a coat for use when out on the hills - I owned a Goretex waterproof for a while and didn't find it to be much more breathable than a £15 pac-a-mac.

6 0 Reply
1. Tuesday 19th May 2020 12:07 GMT Headley_Grange
  
  Re: I had no idea they had an online shop...
  
  I love it. I use it for cycling and hiking. Its the most breathable kit I've got and I've never got wet wearing it - even after long, wet days out in the Lakes and Scotland. Only downside is that it's a bit heavy, although it can double up as a fleece. They also make law-of-physics defying tee-shirts that either keep you warm or cool simply by turning them inside out. I was sceptical, but the bloke in the shop told me I could bring it back any time in the next 6 months if it didn't work; I've still got it and it works - the only downside being that it gets stinky very quickly.
  
  Luckily I bought my stuff from the shop cos, as you say, it's expensive and it's nice to get a good fit.
  
  4 1 Reply
Tuesday 19th May 2020 23:25 GMT Paul

I guessed it would be php

Before I even started reading this I thought "bet it's php" and I was right

2 0 Reply
Wednesday 20th May 2020 03:08 GMT Anonymous Coward

Javascript again

Why does the card application permit 3rd party Javascript?

1 0 Reply
1. Wednesday 20th May 2020 06:51 GMT Mike 137
  
  Re: Javascript again
  
  Why indeed is any client side processing performed on a card data capture page? A pure HTML form using POST over TLS should be sufficient to collect the data, with all processing server side. Client side processing is open to tampering and always has been.
  
  2 0 Reply
Thursday 21st May 2020 23:38 GMT JCitizen

PayPal??

Why would PayPal use a CVV code? Maybe they were directing PayPal to use a credit card on record at PayPal? Seems like using PayPal credit should have solved most of the problem - at least of getting any funds.

If they can attack a PayPal credit transaction like this without using a credit card, you would be better off using something like the browser app downloaded from Capitol One, that assigns payment to only the retail store you are doing business with. If the crook tries to use the same card data, even with the CVV code,l it will not work and the crook loses. I believe it is called Eno ®

There are several credit cards with similar features, and even a free well known web site that lets you create a single transaction credit file for doing the same thing. The URL escapes me at the moment, but any web search would easily turn it up.

0 0 Reply