6.    Research, document, test and evaluate several current industry information security-based +threats, risks, malicious activities, covert methodology, encryption technologies, mitigation techniques or unconventional tactics to prevent loss of sensitive information and data confidentiality, integrity and availability.

​

War Game Final
Tate Gentry
University of Advancing Technology

​

    My company is a web hosting company called cool site. Our network was breached, and attackers planted phishing malware on customers’ sites. This malware changes payment links to an external site and steals credit card information. It was brought to our attention when one of our customers reported that he was getting complaints that his customers credit card payments weren’t going through on his site and that there were some payments on customer’s cards that were not authorized and happened after attempting to buy services on his site. 
   We begin by booting up a VM and accessing the malicious site to see what is going on. The site was running a bunch of third-party JavaScript utilities and had a cart function. This gave us the idea that this could potentially be a Magecart hack. Magecart works by hackers gaining access to the website directly or through third-party services running on the website. They inject malicious JavaScript that steals the shoppers credit card info when entered in the payment forms. So, at this point it could be one of two options, it could be an external hacker targeting this specific person or it could be an internal/admin account hacker. What needs to be tested now is if there are recurring themes among other customer’s services. If the hacker has access to the main servers that are hosting all our customers websites, then we need to see which other users are using the same JavaScript code/plugins. Once all other sites are scanned and the specific customers with infected sites are discovered the next step is to notify them. This is via phone call as email accounts are potentially compromised if they are running email services on their account. We would tell them that their website has been compromised and to allow us time to fix the issue and to not yet notify their customers. The last thing we would want is for the hacker(s) conducting this to find out that we found out. At this stage what needs to be done is to prohibit external traffic to these sites. This would be done through geo blocking all countries. Doing so would allow no other customers from losing sensitive information. The next step is to only allow vetted code to access any sensitive information on your site.  After this is done, we can implement our third-party software that intercepts the API calls from the website to the browser and blocks access to sensitive data. What this does is prevents malicious script or any non-critical third-party script from gaining access to sensitive information that is entered on the website. The next step is to remove the geo block on these sites and to notify our customers that the breach occurred. We would then reach out to the directly affected websites and ask them to contact all their customers that made purchases and request that they change their passwords and get replacement cards. We would also ask them to reach out to their credit/debit card companies to dispute any financial damage that was done to them. One alternative that could have caused much more damage would have been hackers using bots to open credit cards with stolen user credentials and credit cards using data that could have been collected on their sites. In recent times many companies are choosing the cheapest/free third-party services to use on their site. This is where the biggest threat comes in with an increased risk of a Magecart attack. However, there are many legitimate third-party services that are accidentally capturing sensitive user info. This can affect these legit companies as it is a breach of regulations that include potential CCPA, GDPR, and HIPAA violations and penalties. 
   In conclusion, our company was able to successfully eradicate a cluster of Magecart attack on our users with fast identification, isolation, transparency, and remediation. All in all, the biggest challenge with dealing with Magecart attacks is identifying if it is a single case or multiple customers. This can be the difference between a single compromised account or your entire network depending on the source of the breach, which could be an internal attacker.