Attackers behind a campaign targeting various online shops worldwide, which researchers call Water Pamola, have swapped up their initial infection vector in order to drop malware and steal credentials. The evolving tactics underscore how cybercriminals are getting savvier when targeting the e-commerce space, said researchers.
Researchers with Trend Micro, who have been tracking the threat campaign since 2019, said in a recent report that the attack initially targeted online shops in Japan, Australia and European countries using spam emails with malicious attachments. However, more recently the attackers behind Water Pamola have started launching cross-site scripting (XSS) attacks on e-commerce systems.
As part of these attacks, threat actors are submitting online customer shopping orders that are appended with a malicious script in the field where the customer's address or company name typically is. When online shop administrators look into these orders, the malicious script is then executed - posing a threat that many store administrators aren't prepared for, Jaromir Horejsi, senior cyber threat researcher with Trend Micro, said.
“In this campaign there are no suspicious emails or attachments, so the infection process is more hidden and can remain unnoticed for a longer time,” said Horejsi. “We can assume that many people, especially e-commerce system administrators, are more careful and knowledgeable about opening emails and viewing email attachments, but many of them don't expect... that they may get infected just by viewing crafted malicious orders.”
Researchers said the attackers are not targeting a specific e-commerce framework, but rather any e-commerce system vulnerable to XSS attacks “in general.” In order to launch these attacks, cybercriminals in the background are managing their scripts with an XSS attack framework called “XSS.ME,” which reports the victim’s location and browser cookies. The source code of this framework is shared across various Chinese public forums, said researchers.
As part of their campaign, the attackers deliver a variety of different XSS scripts with varying functionalities. For instance, researchers discovered some scripts that aim to swipe administrator credentials from e-commerce websites. These scripts either show an authorization error message that redirects the user to a phishing website, or include a fake login form on the page.
“If the victim enters the credential in the fake form and clicks anywhere on the page, the script will take the credentials, encode them using base64, replace some characters with custom substrings, and then upload these to Water Pamola’s server,” said researchers.
“In this case, attackers craft malicious orders (containing malicious code), which are executed when viewed in vulnerable e-commerce system. This approach is different from the common tactics targeting e-commerce, like Magecart.”
Another script sends an HTTP GET request to a specific URL address during an early stage of the attack, in order to grab content from the victim’s management page and send it to the threat actor’s server. This allows the threat actor to gain a deeper understanding of the environment in order to design attack scripts that better fit that environment, said researchers.
Beyond credential theft, cybercriminals are also using these malicious scripts to upload backdoors to websites that are built on the EC-CUBE framework, which is an open-source framework for e-commerce sites that is popular in Japan, said researchers. The attackers rely on various methods for installing these backdoors - such as deploying a malicious plugin embedded in a file (“MakePlugin.tar.gz”) to the e-commerce framework or uploading a PHP web shell file by calling a native API provided by the framework.
Another malicious script aims to download malware using a social engineering method. The script first shows victims an alert prompt, with a message that reads “Your Flash version is too low, please install the latest version and try again!” Victims are then redirected to a fake Flash installer website controlled by the attackers. Once they click on the purported installer, they are infected with a variant of Gh0stRat, which is malware that has for years targeted the Windows platform. Gh0stRat enables attackers to take full control of the infected endpoint, log keystrokes, provide attackers with live webcam and microphone feeds, download and upload files and other malicious actions.
The malware variant’s code in this attack is based on Gh0stRAT source code, which was leaked online years ago - however, its traffic encryption is customized and the attackers have also added some new features. For instance, the RAT looks for the QQ number of the victims, if they use the Tencent QQ instant messenger software. If victims are logged into the service on the target machine, then the attacker can also access the victim’s list of contacts and private messages, said Horejsi.
Researchers observed several online shops being targeted as part of the campaign.
“Although the number of targeted e-commerce shops is not high, we need to remember that each online shop can have many customers and their personal information, credentials and credit cards might be at risk if the e-commerce shop is compromised,” Horejsi said.
While the e-commerce industry has historically faced varying security threats, the COVID-19 pandemic over the last year forced many retailers to shift from in-person to online sales, making the industry particularly lucrative for attackers. Cybercriminals with financial motives - such as the Magecart group as well as the Lazarus threat group - have been zeroing in on the e-commerce space with card-skimmer malware, phishing and fraud attacks. However, this latest campaign shows how cybercriminals are upping the ante - meaning that online merchants should be on high alert for attacks that come from unexpected infection vectors. Horejsi said, one way to prevent any attack from happening in the first place is for website administrators to ensure their e-commerce platforms are updated.
“While attacking e-commerce is neither a new type of attack nor a new trend, the Water Pamola campaign is very interesting,” Horejsi said. “In this case, attackers craft malicious orders (containing malicious code), which are executed when viewed in vulnerable e-commerce system. This approach is different from the common tactics targeting e-commerce, like Magecart.”