The national news media has been consumed of late with reports of Russian hackers breaking into networks of the Democratic National Committee. Lest the Republicans feel left out of all the excitement, a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the Web storefront of the National Republican Senatorial Committee (NRSC).
That’s right: If you purchased a “Never Hillary” poster or donated funds to the NRSC through its Web site between March 2016 and the first week of this month, there’s an excellent chance that your payment card data was siphoned by malware and is now for sale in the cybercrime underground.
News of the break-in comes from Dutch researcher Willem De Groot, co-founder and head of security at Dutch e-commerce site byte.nl. De Groot said the NRSC was one of more than 5,900 e-commerce sites apparently hacked by the same actors, and that the purloined card data was sent to a network of servers operated by a Russian-language Internet service provider incorporated in Belize.
De Groot said he dissected the malware planted on the NRSC’s site and other servers (his analysis of the malware is available here) and found that the hackers used security vulnerabilities or weak passwords to break in to the various e-commerce sites.
The researcher found the malware called home to specific Web destinations made to look like legitimate sites associated with e-commerce activity, such as jquery-cloud[dot]net, visa-cdn[dot]com, and magento-connection[dot]com.
“[The attackers] really went out of their way to pick domain names that look legitimate,” De Groot said.
The NRSC did not respond to multiple requests for comment, but a cached copy of the site’s source code from October 5, 2016 indicates the malicious code was on the site at the time (load this link, click “view source” and then Ctrl-F for “jquery-cloud.net”).
A majority of the malicious domains inserted into the hacked sites by the malware map back to a few hundred Internet addresses assigned to a company called dataflow[dot]su.
Dataflow markets itself as an “offshore” hosting provider with presences in Belize and The Seychelles. Dataflow has long been advertised on Russian-language cybercrime forums as an offshore haven that offers so-called “bulletproof hosting,” a phrase used to describe hosting firms that court all manner of sites that most legitimate hosting firms shun, including those that knowingly host spam and phishing sites as well as malicious software.
De Groot published a list of the sites currently present at Dataflow. The list speaks for itself as a collection of badness, including quite a number of Russian-language sites selling synthetic drugs and stolen credit card data.
According to De Groot, other sites that were retrofitted with the malware included e-commerce sites for the shoe maker Converse as well as the automaker Audi, although he says those sites and the NRSC’s have been scrubbed of the malicious software since his report was published.
But De Groot said the hackers behind this scheme are continuing to find new sites to compromise.
“Last Monday my scans found about 5,900 hacked sites,” he said. “When I did another scan two days later, I found about 340 of those had been fixed, but that another 170 were newly compromised.”
According to the researcher’s analysis, many of the hacked sites are running outdated e-commerce software or content management software. In other cases, it appears the attackers simply brute-forced or guessed passwords needed to administer the sites.
Further, he said, the attackers appear to have inserted their malware into the e-commerce sites’ databases, rather than into the portion of the Web server used to store HTML and other components that make up how the site looks to visitors
“That’s why I think this has remained under the radar for a while now,” De Groot said. “Because some companies use filesystem checkers so that if some file changes on the system they will get a notice that alerts them something is wrong.”
Unfortunately, those same checking systems generally aren’t configured to look for changes in the site’s database files, he explained, since those are expected to change constantly — such as when a new customer order for merchandise is added.
De Groot said he was amazed at how many e-commerce merchants he approached about the hack dismissed the intrusion, reasoning that they employed secure sockets layer (SSL) technology that encrypted the customers’ information end-to-end.
What many Webmaster fail to realize is that just as PC-based trojan horse programs can steal data from Web browsers of infected victims, Web-based keylogging programs can do the same, except they’re designed to steal data from Web server applications.
PC Trojans siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.
Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.
These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session.
With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).
I don’t believe that any criminal hosting company can be 100 percent ” bulletproof” and can’t be shut down.
Well of course. Every time we find a spam or malware site we report them to the Internet police. They investigate and then get on a boat or plane to go and shut them down…
… and everyone knows the internet police drive Volvos with Thors hammer… get em internetz polices!
Internet Police ?
The jump on a boat or plane and go shut them down ? WHAT POLICE WORK SO EFFECTIVELY. MIND NAMING THE LAW ENFORCEMENT UNIT AND HOW TO REACH THEM ???
Bruce that information is strictly only available on a need to know basis.
I would say what happened to Kim Dotcom was pretty effective.
But ya know, the internet police are not all that concerned unless it’s about someone running a server for P2P/Torrent sharing of illegal files. There are special circumstances though such as Julian Assange that attract attention.
Otherwise, it’s blah blah blah. Let them eat cake.
As an FYI, the NRSC is a campaign arm of the GOP focusing on Senate races. Its not a part of the Senate or any Senate Committee.
Yeah, if a DB is compromised doesn’t matter if it’s SSL lol.
Yes, lots of us know this, but lots of Sr leadership and management have no clue and huge heads about how secure their environments are. Big Ego with delusions of security are not a good recipe!
The problem is closer to home than this article suggests. If you look at the ipout.zip data at crimeflare.com/zippy.html you will find 186 additional unique domains from that same Dataflow 80.87.205.0/24 block. These domains use CloudFlare for their front-end.
Why blame the Russians? They already officially ban more than 5,000 CloudFlare-protected domains (crimeflare.com/russia.html).
How many CloudFlare-protected domains does the U.S. ban? Zero.
Where is the report listing the 5,900 hacked e-commerce sites? Not finding it from article links. Thanks.
Updated list (as of 10/14/16) is here: https://gitlab.com/gwillem/public-snippets/snippets/28813
Is this Political Correctness? “hacked by the same actors”. How come people cannot say “criminals” or “enemies”? Lets call it what it is.
Word!
what difference does it make? that facts on their face are enough to know this is bad, you dont need a label to tell you that. substance > rhetoric.
” it appears the attackers simply brute-forced or guessed passwords needed to administer the sites.”
Far too many systems have nothing to prevent rapid fire password guessing. Often thousands of password guesses per second still don’t raise any alarm or prevention measures. Even an additional few seconds of login response time delay would thwart guessing, but would hardly be noticed by real users.
There are scripts like fail2ban which update firewall rules to block IP addresses where failed login attempts come from.
I block anybody with a login failure…
Hey wait a minute…. I thought Trump said it was 400 lb hackers in their mothers basement that was doing all the hacking… 😉
Mr. Trump also thinks his 10 year old kid is a cypher genius and living proof that “cyber is hard”.
I give up. It’s clear that we can’t beat the hackers. All we can do now is wait for Google to fire up all the dark fiber and sell us a nice new clean(family safe), private(invitation only), and safe(no foreign devils) internet.
A hosting company has to have an IP address block, and IP address blocks can be denied/blocked/firewalled. Linux has a great tool for that called UFW (Uncomplicated Firewall). It has allowed blocking of most of Vietnam’s IP addresses, and I’m starting on France and China, notorious origins of SSH attacks. However it takes a concerted effort on the part of all players, such as ISPs to block out offending hosting companies. Currently ISPs have no fiscal incentive to do so.
That being said, is there any software for checking CMS databases for malware? I’ve some Drupal sites that need checking, just to be safe.
Ask on the reddit r/drupal group.
Sounds like they found all the NSA tools left on that server by an NSA operative. Live Free or Die, I will take my chances, but I will never live in fear as my fellow countrymen do. I don’t make purchases or use a PC to bank on the net, I don’t own a phone either. We all know who the biggest hackers are, and it ain’t the Russians or the Chinese. Live by the sword, die by the sword.
We already know who you are. 😉
You listed several things you don’t do because of your fears that many others are not afraid to do. That belies your assertion that you don’t live in fear as others do. I can guarantee your comment generates more notice than the box of diapers I purchased on Amazon.
@ Catwhisperer
“… I’ve some Drupal sites that need checking…”
Give this a try: https://sitecheck.sucuri.net/
🙂
Surely the major anti-virus vendors can set up honey pots to discover such sites and provide outbound firewall rules to prevent such calling home?
Or have I missed something?
(Even better if I could copy those rules over into my router’s firewall!)
A Navy Seal friend of mind has reminded me that traditionally the easiest way to break into a groups data processing units is to already have the necessary information needed, which is obtainable by graft, blackmail, or from ‘political dissenters.’
I would like to believe that none of the above occurred, until I look at Chinese copies of our advanced weapon systems and allegedly Israeli films of Bill Clinton in extremely compromising positions with 13 year old minor females.
What good is all the security in the world, if our allies are able to pull off scams, though I will acknowledge had my ancestors been to objects of the Holocaust, a national policy of blackmail (or whatever it takes) to assure it never happens again is fully understandable.
@bruce
The story you refer to about Bill Clinton is false and comes from a fake news site. Check out http://www.snopes.com/video-throws-race-into-chaos/
Snopes ia one of the sites that check almost as often as Brian’s site here.
Snopes is 100% compromised based on who owns it and what they decide to lie about.
I agree with you. Between the hackers, media and Demo politicians, they are all corrupt. The media is the worst of the 3…
You forgot your /sarc tag.
Nice thing about snopes is no advertising, so they can’t be bought. They use primary sources that can be verified by anybody.
Any story you found to be not true?
Snopes seems good for “internet folk tales” But when it involves business or politics it too often is a source of disinformation. Same goes for media fluff. The fewer corrections made to Snopes the better since I have no desire to improve their impression of reliability.
Yeah, I didn’t think you knew of any, either…
Snopes is highly reliable. Read it and weep, perhaps — that does not make them somehow dishonest.
Thank you very much for your excellent news service and investigations. Keep up the effort. Much continued success to you. JJA
Dear Brian,
Currently the Big Two types of hackers are 1) cyber criminals who hack for profit and 2) government agencies that use hacking to commit espionage. I think in the future, you should clearly identify to which group your articles refer.
It is noteworthy that when members of the US government say “the Russians,” they are NOT castigating Russian cyber criminals. They are attributing hacking to the Russian government.
So, as to THIS article, when you say, “Russian hackers,” which group do you mean? Further down you mention “Russian-language cybercrime forums” which suggests profit, not espionage. Nevertheless, I think you should be clear on this point since the article is about hacking a group that is generally thought of as political, not commercial.
Thank you.
Brian was citing other articles discussing the “Russian hackers” … he was not offering his own opinion …it doesn’t seem relevant to the rest of his article anyhow
You should remove the Media Narrative that its Russian’s that are doing this. Any competent hacker is going to be bouncing around and probably jump from a foreign location.
Right now at best its someone that preffers russian language sites, which quite possibly includes 14 countries.
Your feeding a false set of talking points that have a political agenda.
No puppet!
Since disguised links in emails are often used to spread malware I am wondering if people can make a habit of sending a “broken” url that the receiver can edit easily to get back the real link. For examples www . krebsonsecurity . com
If we made a practice of doing that then then people who received clickable urls might become more suspicious of them.
Just wondering
I am Groot!
(Sorry, I had to say it)
Blaming the Russians is easy: they sort of invented cybercrime and exported it all over the world.
And it doesn’t matter if its governement or criminals, nowhere else are they so closely intertwined.
I liked the sarc. about internet police 🙂
Crimeflare does not help in most cases but cloudflare helps the cybercriminals 4 sure.
I think the contents of the hacked information are much more disturbing than the source. We are getting a rare glimpse into the minds of those that govern and it is chilling. That the Russians or any other nation state are attempting to interfere with our elections is not a surprise–they learned that from the US government. We’ve not only interfered in elections world wide but assassinated the leaders of other countries. I for one want more leaked information that shows just how corrupt our government has become on both sides of the aisle. This demonstrates the need for limited government which the constitution was designed to enforce and the need to drawback all the interventions into other countries costing 1000’s of lives on both sides. Soon, I fear, all branches of government will be in lockstep providing nanny services with one hand while trampling on freedom with the other.
Here is Datawagon trying to deny they are involved in shady biz
http://www.webhostingtalk.com/showthread.php?t=1578152
Shows quite a history for these kids
I’m so glad I never pay on line. My mountains and trees are analog. My large format photography is analog. No surveillance camera’s on our land.
Just eagles, wild boars, mountain goats etc. And spanish mastins to protect us. Programming is as interesting as book keeping to me. Yuk!!
But why is it if I want to buy something on line they insist on paypal and refuse a bank transfer? Another scam? We are pissing pour but are living like millionairs. Getting jealous? City whoopsies!
JPA makes a good point concerning broken links and the spread of malware. No matter how good computer security becomes, the true flaw will always be human error – a simple click on a link or opening up a picture which infects the computer/network.