SlideShare ist ein Scribd-Unternehmen logo

Root conf digitalskimming-v4_arjunbm

Als PPTX, PDF herunterladen
A
Arjun BM

Root conf digitalskimming-v4

Technologie
1 von 15
- ARJUN B.M. The Art of Exfiltration DIGITAL SKIMMING
About • A security professional with diverse experience in IT Security & Vulnerability Management solutions in Enterprise & Cloud environments • Currently, working for a Retail major as a Security Architect ensuring governance of security measures for e-commerce platform
Outline • Context and Introduction • Threat Actors and Modus Operandi • Challenges and Countermeasures
The Nation Wants To Know… WHAT 17000 domains compromised, July 2019 WHO Cybercriminals (Magecart) WHY Misconfigured Amazon S3 buckets (WRITE permission) HOW JavaScript-based payment card-skimming code is over- written on existing JavaScript files on the bucket WHO FILA, British Airways, Feedify Source: https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets
ATTACKE R ONLINE USER ATTACKER CONTROLLED SERVER ATTACKER SCANS FOR VULNERABLE WEBSITES AND INSERTS MALICIOUS JS CODE ENTERS PAYMENT CARD DETAILS ON CHECKOUT PAGE TO MAKE ONLINE PURCHASE MALICIOUS JS CODE INJECTED STEALING OF PAYMENT CARD INFORMATIONE-COMMERCE WEBSITE MONETIZATION • RESHIPPING VIA MULES • SELL IT TO OTHER CYBERCRIMINALS
Anatomy of a Digital Skimmer
Anatomy of a Digital Skimmer
Anatomy of a Digital Skimmer
Threat Vectors The “How” of Digital Skimming - Misconfigured S3 Buckets - Compromise of Third-party Components / Plugins - Outdated or Unpatched Versions of Software - Application Vulnerabilities (SQLi)
Threat Actors Attack Patterns & Signatures - Group 1, 2 & 3 Automated spray & pray attack - Group 4 Obfuscation & Stealth - Group 5 Hacks third-party suppliers - Group 6 Extremely selective top-tier targets
Challenges • Lack of visibility into online resources • Dependency on third parties • Diversity of attack types: obfuscation, bitcoin miners, noisy techniques • Detection is difficult
Countermeasures • JavaScript Controls inventory, reduction & hosting • Hardening Procedures patching, 3rd party plugins, 2FA • Process & Policy vendor evaluation, monitoring, control code change • WAF, Firewalls, IDS & IPS are ineffective
Countermeasures • Website Configuration Settings CSP, SRI, HTTPS, iFrame CSP HEADER Content-Security-Policy: script-src https://example.com/ Content-Security-Policy: require-sri-for script; SRI <script src=https://example.com/example-framework.js integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" </script> iFRAME X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN
Conclusion • Build defenses against known attack patterns and watch out for the unknown • Collaborative sharing between impacted organizations, security researchers and law enforcement
Thank you arjun.bm@target.com

Empfohlen

Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine Learning
Arjun BM
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
vivatechijri
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learning
ijtsrd
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websites
m srikanth
 
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadPhishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge Ahead
eLearning Papers
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
NARESH GUMMAGUTTA
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)
Alexander Decker
 
IRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET- Advanced Phishing Identification Technique using Machine LearningIRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET Journal
 

Empfohlen

Phishing Detection using Machine Learning
Phishing Detection using Machine LearningPhishing Detection using Machine Learning
Phishing Detection using Machine Learning
Arjun BM
 
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.A Hybrid Approach For Phishing Website Detection Using Machine Learning.
A Hybrid Approach For Phishing Website Detection Using Machine Learning.
vivatechijri
 
Detecting Phishing using Machine Learning
Detecting Phishing using Machine LearningDetecting Phishing using Machine Learning
Detecting Phishing using Machine Learning
ijtsrd
 
Detection of phishing websites
Detection of phishing websitesDetection of phishing websites
Detection of phishing websites
m srikanth
 
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge AheadPhishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge Ahead
eLearning Papers
 
website phishing by NR
website phishing by NRwebsite phishing by NR
website phishing by NR
NARESH GUMMAGUTTA
 
Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)Detecting phishing websites using associative classification (2)
Detecting phishing websites using associative classification (2)
Alexander Decker
 
IRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET- Advanced Phishing Identification Technique using Machine LearningIRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET- Advanced Phishing Identification Technique using Machine Learning
IRJET Journal
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
tcellsn
 
Url filtration
Url filtrationUrl filtration
Url filtration
ronpoul
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
Inspirisys Solutions Limited
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
BlazeDream Technologies Pvt Ltd
 
Most Common Application Level Attacks
Most Common Application Level AttacksMost Common Application Level Attacks
Most Common Application Level Attacks
EC-Council
 
Top 10 web server security flaws
Top 10 web server security flawsTop 10 web server security flaws
Top 10 web server security flaws
tobybear30
 
Deltecs Services for Vulnerability Assessment and penetration testing
Deltecs Services for Vulnerability Assessment and penetration testingDeltecs Services for Vulnerability Assessment and penetration testing
Deltecs Services for Vulnerability Assessment and penetration testing
divyeshkharade
 
Knowledge base compound approach against phishing attacks using some parsing ...
Knowledge base compound approach against phishing attacks using some parsing ...Knowledge base compound approach against phishing attacks using some parsing ...
Knowledge base compound approach against phishing attacks using some parsing ...
csandit
 
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
cscpconf
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
Steven Cahill
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
Secure Code Warrior
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated script
Amol Kamble
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
Root conf digitalskimming-v3
Root conf digitalskimming-v3Root conf digitalskimming-v3
Root conf digitalskimming-v3
Arjun BM
 
Root conf digitalskimming-v2_arjunbm
Root conf digitalskimming-v2_arjunbmRoot conf digitalskimming-v2_arjunbm
Root conf digitalskimming-v2_arjunbm
Arjun BM
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
Inspirisys Solutions Limited
 
Top 10 web server security flaws
Top 10 web server security flawsTop 10 web server security flaws
Top 10 web server security flaws
tobybear30
 
Knowledge base compound approach against phishing attacks using some parsing ...
Knowledge base compound approach against phishing attacks using some parsing ...Knowledge base compound approach against phishing attacks using some parsing ...
Knowledge base compound approach against phishing attacks using some parsing ...
csandit
 
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
cscpconf
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
Steven Cahill
 

Was ist angesagt? (20)

Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 
Url filtration
Url filtrationUrl filtration
Url filtration
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
7 Vulnerabilities In Your Web Application That Can Open The Door To Security ...
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
Most Common Application Level Attacks
Most Common Application Level AttacksMost Common Application Level Attacks
Most Common Application Level Attacks
 
Top 10 web server security flaws
Top 10 web server security flawsTop 10 web server security flaws
Top 10 web server security flaws
 
Deltecs Services for Vulnerability Assessment and penetration testing
Deltecs Services for Vulnerability Assessment and penetration testingDeltecs Services for Vulnerability Assessment and penetration testing
Deltecs Services for Vulnerability Assessment and penetration testing
 
Knowledge base compound approach against phishing attacks using some parsing ...
Knowledge base compound approach against phishing attacks using some parsing ...Knowledge base compound approach against phishing attacks using some parsing ...
Knowledge base compound approach against phishing attacks using some parsing ...
 
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
KNOWLEDGE BASE COMPOUND APPROACH AGAINST PHISHING ATTACKS USING SOME PARSING ...
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - Logging
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
Web attacks using obfuscated script
Web attacks using obfuscated scriptWeb attacks using obfuscated script
Web attacks using obfuscated script
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 

Ähnlich wie Root conf digitalskimming-v4_arjunbm

Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 

Ähnlich wie Root conf digitalskimming-v4_arjunbm (20)

Root conf digitalskimming-v3
Root conf digitalskimming-v3Root conf digitalskimming-v3
Root conf digitalskimming-v3
 
Root conf digitalskimming-v2_arjunbm
Root conf digitalskimming-v2_arjunbmRoot conf digitalskimming-v2_arjunbm
Root conf digitalskimming-v2_arjunbm
 
Digital skimming root_conf_ppt
Digital skimming root_conf_pptDigital skimming root_conf_ppt
Digital skimming root_conf_ppt
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
5 step plan to securing your APIs
5 step plan to securing your APIs5 step plan to securing your APIs
5 step plan to securing your APIs
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
CSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web ApplicationsCSS 17: NYC - Protecting your Web Applications
CSS 17: NYC - Protecting your Web Applications
 
Root conf Digital Skimming
Root conf Digital SkimmingRoot conf Digital Skimming
Root conf Digital Skimming
 
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web ThreatsUsing SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
Using SurfWatch Labs' Threat Intelligence to Understand Dark Web Threats
 
Tecnologie a supporto dei controlli di sicurezza fondamentali
Tecnologie a supporto dei controlli di sicurezza fondamentaliTecnologie a supporto dei controlli di sicurezza fondamentali
Tecnologie a supporto dei controlli di sicurezza fondamentali
 
Web Security
Web SecurityWeb Security
Web Security
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 

Kürzlich hochgeladen

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Kürzlich hochgeladen (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Root conf digitalskimming-v4_arjunbm

  • 1. - ARJUN B.M. The Art of Exfiltration DIGITAL SKIMMING
  • 2. About • A security professional with diverse experience in IT Security & Vulnerability Management solutions in Enterprise & Cloud environments • Currently, working for a Retail major as a Security Architect ensuring governance of security measures for e-commerce platform
  • 3. Outline • Context and Introduction • Threat Actors and Modus Operandi • Challenges and Countermeasures
  • 4. The Nation Wants To Know… WHAT 17000 domains compromised, July 2019 WHO Cybercriminals (Magecart) WHY Misconfigured Amazon S3 buckets (WRITE permission) HOW JavaScript-based payment card-skimming code is over- written on existing JavaScript files on the bucket WHO FILA, British Airways, Feedify Source: https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets
  • 5. ATTACKE R ONLINE USER ATTACKER CONTROLLED SERVER ATTACKER SCANS FOR VULNERABLE WEBSITES AND INSERTS MALICIOUS JS CODE ENTERS PAYMENT CARD DETAILS ON CHECKOUT PAGE TO MAKE ONLINE PURCHASE MALICIOUS JS CODE INJECTED STEALING OF PAYMENT CARD INFORMATIONE-COMMERCE WEBSITE MONETIZATION • RESHIPPING VIA MULES • SELL IT TO OTHER CYBERCRIMINALS
  • 6. Anatomy of a Digital Skimmer
  • 7. Anatomy of a Digital Skimmer
  • 8. Anatomy of a Digital Skimmer
  • 9. Threat Vectors The “How” of Digital Skimming - Misconfigured S3 Buckets - Compromise of Third-party Components / Plugins - Outdated or Unpatched Versions of Software - Application Vulnerabilities (SQLi)
  • 10. Threat Actors Attack Patterns & Signatures - Group 1, 2 & 3 Automated spray & pray attack - Group 4 Obfuscation & Stealth - Group 5 Hacks third-party suppliers - Group 6 Extremely selective top-tier targets
  • 11. Challenges • Lack of visibility into online resources • Dependency on third parties • Diversity of attack types: obfuscation, bitcoin miners, noisy techniques • Detection is difficult
  • 12. Countermeasures • JavaScript Controls inventory, reduction & hosting • Hardening Procedures patching, 3rd party plugins, 2FA • Process & Policy vendor evaluation, monitoring, control code change • WAF, Firewalls, IDS & IPS are ineffective
  • 13. Countermeasures • Website Configuration Settings CSP, SRI, HTTPS, iFrame CSP HEADER Content-Security-Policy: script-src https://example.com/ Content-Security-Policy: require-sri-for script; SRI <script src=https://example.com/example-framework.js integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" </script> iFRAME X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN
  • 14. Conclusion • Build defenses against known attack patterns and watch out for the unknown • Collaborative sharing between impacted organizations, security researchers and law enforcement