There’s a good reason why web administrator credentials sell for over $3,000 on fraudsters forums: because they are highly valuable to fraudsters. It’s imperative for merchants and any organization with an online presence to keep theirs safe, and now more so than ever as fraudsters have found clever ways to hide credential stealing malware to compromise customer and website user data.
A website is your digital real estate. It’s often where organizations make their first impression and set the tone to the type of relationship they will have with a site user. It influences whether they become a customer or a bounce statistic. Bad first impressions means lost sales, but websites taken over and infected with malware will cause severe brand damage.
While organizations carefully plan and curate the content on their websites, fraudsters can destroy this rather quickly with digital vandalism or planting malware to infect site visitors. Websites and web domains are popular targets of fraudsters as the legitimate websites can be taken over and exploited to spread malware. A recent study from Digital Shadows examined fraudster forums and market places finding that some of the highest priced credentials for sale were those that belonged web domain admin accounts, which had an average sale price of $3,139. Once fraudsters takeover a website, here are some of the things they can do:
Website redirects range from efforts to troll an organization to spreading malware. When a web user intends to access an organization’s legitimate website, either by using the URL directly, clicking a link or web search, they are redirected to some other site. Sometimes fraudsters just want to wreak havoc or embarrass the targeted website. In these cases the redirect can take users to an adult site or the website of a competitor or organization with conflicting political or social views.
Fraudsters with more malicious intents will use redirects as a means to spread malware or host a pharming site. The site that a web user is redirected to may mimic the real site but can host malware and attempt to install it on the user’s device. In sophisticated attacks it can be an exact replica of the target site and pitch the malware as something the user would want to accept. This could be an accept cookies dialogue box or clicking to claim a coupon. If the site doesn’t host malware directly, it may replicate the legitimate site and lure the user to login, stealing their credentials.
Fraudsters who employ these tactics don’t want the real site administrator to know. Sometimes they will design redirects to occur only when a user clicks from a search engine, not when someone visits the URL directly. This is because employees and web admins are more likely to access their organization’s website from their favorites or bookmarks bar or type the URL in directly than use Google or other web search services.
Rather than redirect to a malicious site, fraudsters might try to hide and host malware on the merchant or organizations website directly. All visitors to a website will be targeted with malware that may prompt for installation or automatically occur. If a prompt to install something is required it can be presented as something different, such as a pop-up or dialogue box that offers a coupon. The malware may help a fraudsters build out their botnet, install spyware or any number of malware applications for nefarious use.
Malwarebytes has recently found malicious code hidden within image file metadata that takes the content of all input fields like name, address, payment card number and CVV, and sends it to servers controlled by the fraudsters. These are referred to as web skimmers or digital skimmers. Fraudsters are taking measures to keep these malicious bits of code hidden, leaving no other trace of their website intrusion.
This type of attack has potential to cause large scale brand damage. If undetected, thousands of customers can have their credentials compromised just by shopping from an eCommerce merchant’s site. Eventually card issuers will be able to trace all their compromised cards to the merchant as the source of the breach, and a PR nightmare is likely to ensue.