Threat Actors Seek, Solicit Access to Compromised E-commerce Sites
By Abigail Showman
Open source and commercial e-commerce platforms have been targeted for years by threat actors, often armed with commodity exploits for known and patched vulnerabilities. Their aim is to gain administrative access to these platforms which would then facilitate the theft of customers’ payment card data.
Some threat actors will infect and steal directly from sites hosted on these platforms, while others prefer to support a lively underground economy where others are selling access to these popular platforms underpinning many businesses.
In recent months, researchers at Flashpoint have observed several advertisements across the deep & dark web (DDW) by threat actors seeking access to a variety of retail websites that employ commercial e-commerce platforms. The risk is substantial to the victims, who would be susceptible to carding, phishing attacks, drop-shipment fraud, and more.
Smaller E-commerce Sites in the Crosshairs
Threat actors who claim to have access to numerous different retail sites sell this access to other users across the DDW. Often, this includes administrative access to the customer relationship management (CRM) panel for the site. Advertisements include a variety of details for the level of access to the site. Although the level of access varies, these advertisements typically include access to order history, user information, financial details, emails, and administrator access.
Although the order volume varies for the sites that are advertised, many of the allegedly compromised e-commerce sites appear to be for retailers with 200 or fewer online orders per month. This suggests that threat actors may seek out smaller sites that may not have implemented robust security measures. However, some advertisements are for e-commerce sites that, according to the threat actors, appear to have a higher volume, allegedly with dozens of orders per day.
Some of the discussions linked to these ads do not disclose the methods used by threat actors to gain access to these sites. However, cross-site scripting (XSS) vulnerabilities comprise a significant amount of the reported vulnerabilities to one such vendor’s bug bounty program.
Illustrating the issue, an exploit was published in March for a critical SQL injection vulnerability in the core Magento code that had been addressed only to have the patch reverse-engineered and a proof-of-concept attacked published. In June, a report from security company Sanguine Security published data that showed attacks against Magento doubled month over month once the bug was disclosed in April. The flaw can be exploited by remote, unauthenticated attackers to take over unpatched, vulnerable sites.
Additionally, some threat actors have been observed posting mentorships or other opportunities to learn how to exploit e-commerce sites for fraudulent dropshipping schemes. Flashpoint has also identified advertisements for the creation of phishing pages associated with e-commerce platforms, which may be used by threat actors for other types of campaigns.
Online retail companies that employ commercial e-commerce solutions should ensure that their sites operate up-to-date versions of the software, because threat actors will seek to exploit those sites that are running outdated, unpatched versions. Site administrators should also monitor logs for any spikes in activity that may reflect an attempt to exploit previously disclosed vulnerabilities.
Additionally, consumers are regularly advised that they should be cognizant of any suspicious activity associated with forms of payment they use when online shopping. However, many DDW advertisements for access to e-commerce sites often tout access to customer email information, which may be exploited by threat actors to facilitate other forms of fraud. Customers should maintain a healthy awareness of possible highly targeted phishing campaigns that may exploit information gleaned from illicit access to an e-commerce site as well.
Tactical Monitoring Analyst
Abigail Showman is an Intelligence Analyst on the Tactical Threat Monitoring team at Flashpoint. She focuses on emerging trends across the Deep & Dark Web and is a certified crime intelligence analyst with a background in law enforcement and homeland security intelligence. Abigail is a graduate of Florida State University.