The cyber threat landscape and, in particular, the tools and techniques that criminals use to carry out their attacks evolves as quickly as any part of the information technology landscape. In addition, the re-use of tried and tested best practices by hackers is something that, frankly, legitimate business and their security teams could learn from.
The recent “web skimming” attack on early versions of the Magento e-commerce platform (here) should serve to remind us that criminals are not only investing their development efforts in the specific techniques used to attack us but, also, in their ability to scale these techniques to affect more targets.
In the recent attack on Magento software, we saw the well-known “Magecart” software used to “scrape” payment card industry (PCI) data (mostly credit and debit card details) from online stores. This is nothing new, you will probably remember the British Airways and Ticketmaster sites hacks (and associated GDPR fines) back in 2018. What is new, however, is the scale at which this attack was carried out.
This time around, the Magecart attacks affected nearly 2,000 online stores around the world. The criminals hacked online store websites, either via a common vulnerability or stolen credentials (yet to be determined – there is a rumor on the dark web of a new “zero-day” exploit in play here) and then injected the sites with the Magecart “web skimmer”, which exfiltrates personal and banking information entered by customers during the online checkout process.
The fact that this was carried out at scale is the important take-away here, particularly for cyber insurers. Use of automation software is becoming an important trend in cyber crime. Various attack types are now assisted using automation including “at scale” phishing attacks and automated use of exploit kits to hunt new operating system vulnerabilities. As cyber criminals automate more of what they do, cyber defenders are going to need to do the same and speed up processes such as threat hunting, breach response and forensics through the adoption of automation technology.
The recent “mass web skimming” seen at online stores should be a warning to all. What used to attack us as individual businesses will start to attack companies en-masse, leading to accumulation of risk, potentially across different business sectors. Insurers should be working with their clients to understand single points of failure (such as Magento) and maturity levels in cyber security. There are some old lessons to be learned here too, particularly concerning system patching, identity protection and keeping systems up to date with the latest versions of critical software (it is estimated that around 100,000 online businesses are still using the very vulnerable v1.x version of Magento software).
The automation trend in cyber crime will not slow down now. This and other attacks are proving to be successful for criminals and each attack, whether it is successful or not, provides criminal gangs with lessons learned. I would rank automation as one of the key emerging risks for cyber insurers and security teams in the coming years.
