2. About
• A security professional with diverse experience in IT Security &
Vulnerability Management solutions in Enterprise & Cloud environments
• Currently, working for a Retail major as a Security Architect ensuring
governance of security measures for e-commerce platform
3. Outline
• Context and Introduction
• Threat Actors and Modus Operandi
• Challenges and Countermeasures
4. The Nation Wants To Know…
WHAT 17000 domains compromised, July 2019
WHO Cybercriminals (Magecart)
WHY Misconfigured Amazon S3 buckets (WRITE permission)
HOW JavaScript-based payment card-skimming code is over-
written on existing JavaScript files on the bucket
WHO FILA, British Airways, Feedify
Source: https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets
9. Threat Vectors
The “How” of Digital Skimming
- Misconfigured S3 Buckets
- Compromise of Third-party Components / Plugins
- Outdated or Unpatched Versions of Software
- Application Vulnerabilities (SQLi)
10. Threat Actors
Attack Patterns & Signatures
- Group 1, 2 & 3 Automated spray & pray attack
- Group 4 Obfuscation & Stealth
- Group 5 Hacks third-party suppliers
- Group 6 Extremely selective top-tier targets
11. Challenges
• Lack of visibility into online resources
• Dependency on third parties
• Diversity of attack types: obfuscation, bitcoin miners, noisy techniques
• Detection is difficult
12. Countermeasures
• JavaScript Controls inventory, reduction & hosting
• Hardening Procedures patching, 3rd party plugins, 2FA
• Process & Policy vendor evaluation, monitoring, control code change
• WAF, Firewalls, IDS & IPS are ineffective
14. Conclusion
• Build defenses against known attack patterns and watch
out for the unknown
• Collaborative sharing between impacted organizations,
security researchers and law enforcement