How ManoMano Faces Security Threats with Our Do-It-Yourself Mindset?
E-commerce is a sector of the industry which is growing at an unprecedented rate all over the world due to the overwhelming majority of websites and apps focusing on e-commerce. With e-commerce, people can discover unique goods they will not find in big-box retail chains. Along with the rise of e-commerce business, attacks have skyrocketed against the e-commerce industry and this is particularly true as the business becomes more famous. Every private and public organization is taking e-commerce security seriously more than ever because any attack can have an impact in their business and in cyber confidence with their customers and sellers. This is especially the case in ManoMano where the security will always be our top priority. The job of the security team is to know the enemy, find threats, and remediate them with excellence.
In this article, we will highlight the top security threats that an e-commerce company faces before diving into the dark corners of the web — the Genesis Store. Then, we will show you how Genesis malware extracts all the credentials from your favorite browser and eventually we will describe how the ManoMano security team discovers the security issues and tackles them.
What are our top-4 security threats ?
The top attack that e-commerce industries are suffering from is the Distributed Denial-of-Service attack (DDoS), which consists in flooding the servers with requests from thousands of untraceable IP addresses, making the service unavailable for several minutes or several hours. This can have devastating consequences for the business, especially during peak hours or special days like Black Friday. Before performing this attack, the attacker needs to build up a botnet, i.e. a set of infected computers or servers from which requests are sent out. The bigger the botnet, the bigger the impact.
Secondly comes credit card fraud, the old classic remains one of the most common security threats faced by e-commerce websites. Some crucial indicators to detect the frauds: a shipment address that is different from the billing address, many consecutive unsuccessful orders, customer address different from the billing address. Failure to correctly detect frauds leads to a high number of chargebacks to the provider or client and impacts the trust between the provider, customer, and the e-commerce industry.
Thirdly ranks the infection by malware or malicious software, i.e., any piece of software that is designed by criminals in order to spy, eavesdrop communication, gain otherwise restricted access, or cause damage. Although many malware infections are carried over by emails containing infected documents, direct drive-by downloads should not be underestimated. One malware family is particularly aggressive like ransomware, which ciphers all the computer files and asks for a ransom. If the ransomware is using an asymmetric encryption, recovering the files is not a simple process unless a correct backup system has been set up prior to the infection. If there was no backup, the files are irremediably lost. It is worth noting that if the computer is synchronized with Google Drive using e.g. File Stream, all the files in the cloud will also be ciphered. And believe us, people are ready to plug infected USB keys to their computer, which turn out to cipher their Google Drive and ask for a ransom.
The last security threat in this top 4 stems from the bots, which are utilized to crawl web pages of an e-commerce website and scrap prices of the competitors, which subsequently allow the attacker to check pricing strategy and marketing plans. This is something that we noticed at ManoMano. Bots are also programmed to verify the validity of stolen credentials of the victims and stolen credit card numbers along with the CVV. If the credentials or credit card numbers are valid, the attacker can make a purchase on behalf of the victim or monetize the credentials by selling them on the web. The theft and selling of the login details is a leading industry in the darker sides of the web. We will be focusing on this threat as this is rarely a high priority in a security team and under-considered. To illustrate this, ManoMano will share a unique experience: a special focus will be given to the Genesis Store.
What is the Genesis Store ?
Genesis Store market (Genesis Store Login in Figure 2) is a forum that comprises a whopping 260 000 bots for sale as of writing where only invited people can join the market. A Genesis Store bot is a computer that has been compromised and whose digital browser fingerprints, e.g. website credentials, are for sale. In other words, a person that purchases a bot, gets the list of credentials associated with that bot, which can subsequently allow him to e.g. access to companies’ BackOffice. Once a bot has been acquired, the buyer has the exclusivity on it, i.e. no one else is able to buy the same bot. Depending on the privileges of the compromised accounts, an attacker might retrieve confidential information of the company.
Each bot comes with a unique Bot ID, Operating System, language, browser version, IP address, machine model, infection time, update time, stolen cookies, logins, country, and list of compromised domains (see Figure 3). To facilitate the use of stolen digital browser fingerprints, Genesis Store provides a Chrome extension that automatically preloads logins, cookies, browser profile, etc. By mimicking the same browser profile as the victim, the attacker is able to bypass the security mechanisms of the platform, which base their user identification on the browser fingerprint. But where does Genesis get the credentials from ?
Where does Genesis Store get the credentials from ?
Genesis Store is fed with stolen digital fingerprints stemming from bots, i.e infected computers. Digital fingerprints, e.g. credentials, credits cards, etc. are obtained either using form grabbers or a crawler to extract the credentials stored in the built-in browser password managers. To infect the hosts, attackers run malware campaigns by e.g. sending infected email attachments to the victims. According to Raveed Laeb, Product Manager at KELA most infections are carried over by the AZORult malware, which encompasses 90% of all the infections.
Form grabbers are pieces of software that sneak into the browser and detect login information as it is being entered into a form, along with other identifying information that will help the software masquerade as a customer. It can be seen as an extension, which can intercept browser requests, parse the request’s payload, extract the credentials if any, and send them to the attacker.
Browser password managers keep track of the saved credentials of all visited websites. Whenever a user logs in on a website, the browser will ask to save the username and passwords in its local database, and next time the user visits that website, the user will be automatically logged in using these saved credentials (see Figure 4). It is a security best practice to pick one password per website, which prevents the attacker from logging in on other platforms if one of the victim credentials got stolen. However, this has a major pitfall if the computer gets infected by a malware, the malware can thieve all the credentials contained inside the password manager. But how easy is it to steal credentials ? To answer this question, we dissected the Google Chrome Password Manager for the Windows platform.
How does Google Chrome Manage Credentials ?
Google Chrome stores all the ciphered credentials in a local SQLite database on the user session. Depending on the version, the way that Google Chrome ciphers and deciphers credentials at runtime differs.
Before version 80, Google Chrome was solely relying on the DPAPI (Data Protection API) to encrypt and decrypt passwords in their local SQLite database. DPAPI allows the user to encrypt data using information from the current user account or computer. It is used to alleviate the difficult problem of explicitly generating and storing a cryptographic key. The major pitfall is that anyone logged on the same session can pull out the list of credentials and decrypt the passwords, i.e., any malicious software is able to steal the list of credentials. An example is provided in the Python script in Figure 5. This script (1) connects to the local SQLite database stored in “AppData\Local\Google\Chrome\User Data\Default”, (2) makes a SQL request to request the encrypted credentials, (3) iterates over the credentials, and eventually (4) for each credential, decrypts the password using the “CryptUnprotectData()” function.
From Chrome 80, Google decided to change the way passwords are stored in their local SQLite database. Instead of solely using the Windows encrypting function, Google is also relying on the algorithm AES256-GCM (Galois/Counter Mode) with a key, which has been encrypted using the DPAPI and stored in a JSON file. An example is provided in the Python script in Figure 6. This script (1) retrieves the ciphered key from the JSON file, (2) decodes the cipher key using base64 encoding, (3) ignores the first 5 characters, (4) decrypts the key by means of the “CryptUnprotectData()” function, (5) connects to the local SQLite database stored in “AppData\Local\Google\Chrome\User Data\Default”, (6) makes a SQL request to request the credentials, (7) iterates over the credentials, (8) and for each credential, extracts the signature version, the nonce, the ciphertext, and the MAC tag, (9) initializes the AES algorithm with the ciphered key, the mode, and the nonce, and eventually (10) decrypts the password and validates it using the provided MAC tag. It is worth noting that the MAC tag makes sure the message has been decrypted using the right key and no modification has taken place in transit. If the MAC tag is wrong, the entire message should not be trusted.
Although anyone logged on the same session is still able to decipher the passwords, this compels the malware author to update their source code, which makes the malware inactive for a while. Nevertheless, after updating to version 80 or later, we noticed that only new saved credentials were stored in a safer way, old passwords were still stored in the old fashioned way. After knowing the modus operandi of the attackers, we were eager to know if one of our internal computers was compromised or if one of our sellers was impacted.
Investigation on a real case
The signing up process of the Genesis Store was not a cup of tea as an invitation code was required. Unless we knew an existing member, who could send us out an invitation, the other option consisted in buying it on a dark web forum. We decided to crawl the dark web, looking for the right site to get the invitation, knowing that many dark web sites are just scams. After some minutes of investigation, one website turned out to be genuine and for a few dollars via a BitCoin transfer we were able to get the code. Once the code was in our hands, we were finally able to create an account and have access to a whopping 260k bots.
Searching for any internal compromised computers was our first reflex, but to our relief, the result was negative; however, six of our sellers were compromised. Since a relationship with our sellers is essential, we bought those accounts and informed the respective sellers of their security issues. To facilitate the malware removal, clear instructions were emailed to them and after a week, all the computers were disinfected. And now the question is how can e-commerce monitor those credentials leaks in the whole dark web and forums ? Did you hear about Threat Intelligence Tools ?
Threat Intelligence Tools: what are they ?
Threat Intelligence Tool is a tool that identifies and anticipates the cyber threats but also catches up the most recent attacks. Interesting findings are for instance: what is the current security trend in 2020 or which type of attacks are mostly carried over. The tool can be seen as a huge collector of logs sent by different sensors, e.g website crawlers. Later, the collected data is processed by a natural language processor to identify the semantics, translate the texts, aggregate, and correlate the results. This data can be enriched by different sources like indicators of compromise, IP addresses, domain names, etc. Based on a list of filters, the analyst will receive alerts and will have a clear view of what is occurring. See Figure 7.
One interesting use case consists in detecting vulnerable components of an e-commerce infrastructure. Being a step ahead allows e-commerce industry to patch the most vulnerable components of its infrastructures. Because of zero day vulnerabilities regularly popping up, it might be judicious to track the sensitive components and prevent attacks from occurring after the publication of zero day vulnerabilities. For instance during the COVID-19, employees are compelled to work from home, in which case the accent is stressed on the VPN technology and visio conference tools. Making sure the VPN and visio conferences tools are up to date is a mandatory step at ManoMano.
As mentioned in the previous section, monitoring the data exfiltration is a paramount step in a company. Being aware of which account or computer has been compromised in a responsive way allows to reduce the risk as much as possible. Being reactive makes a huge difference in terms of security impact. If the e-commerce company alerts a seller that their computer has been infected and needs to be disinfected as soon as possible, the e-commerce company achieves two goals: (1) protect the seller and thus its industry, and (2) increase the trust between seller and the industry.
Nevertheless, one of the pitfalls of the intelligence tools is the overwhelming quantity of information it provides. It might be handy to narrow down the search and tune the monitors to only receive alerts on specific categories. In other words, the main challenge consists in finding the right balance between the alerts to keep false positives as low as possible while keeping true negatives very high. For instance when setting up monitors on Genesis Store, we selected only domains that are critical to us, e.g., ManoMano’s back-office URLs. Checking the cyber attacks mentioned on Twitter was definitely too verbose for us, and in the end, the analyst will stop watching the alerts because they are not reliable anymore.
ManoMano would love to hear your experience on how you are handling security threats and know your feedback about threat intelligence tools, e.g., how you make the most of it. Please leave a comment below this article if you feel like it ;)
Acknowledgements
Thanks to Fabien Lemarchand, Grégoire Paris, and Pierre Fournier for many corrections and suggestions.
