WEBVTT

00:00:01.670 --> 00:00:08.440
JACK: In October 2015, Carlos, a Florida man, was manufacturing credit card skimming devices.

00:00:08.440 --> 00:00:13.200
These are little devices you can stick on a gas pump and anyone who comes and swipes

00:00:13.200 --> 00:00:17.050
their credit card at the gas pump will get their number saved to this little device.

00:00:17.050 --> 00:00:21.880
It’s a popular attack because not everyone is watching the gas pumps so you can easily

00:00:21.880 --> 00:00:23.760
sneak your skimmer onto it.

00:00:23.760 --> 00:00:27.960
It’s hard to sneak a skimmer onto a point of sale terminal in a store because the clerk

00:00:27.960 --> 00:00:31.930
is standing right there but gas pumps are usually standing right there in the open for

00:00:31.930 --> 00:00:34.760
anyone to just go use.

00:00:34.760 --> 00:00:40.190
[MUSIC] Carlos’s skimmers were slick; they were small, battery-powered, and can store

00:00:40.190 --> 00:00:42.399
up to a gigabyte of data on them.

00:00:42.399 --> 00:00:48.140
He stuck one on a gas pump and came back a few days later, plugged a USB cable into it,

00:00:48.140 --> 00:00:50.680
and downloaded all the credit card data off there.

00:00:50.680 --> 00:00:52.780
This is called track data.

00:00:52.780 --> 00:00:57.800
This was amazing for Carlos so now that one skimmer seemed to be working pretty well,

00:00:57.800 --> 00:01:02.500
Carlos started planting more and more skimmers all over Miami, Florida.

00:01:02.500 --> 00:01:07.220
Then he’d come back, hook up a USB cable, and download all the card track data.

00:01:07.220 --> 00:01:10.510
Carlos thought this was great but now what?

00:01:10.510 --> 00:01:13.060
How do you turn the track data into money?

00:01:13.060 --> 00:01:17.780
He thought about this; one could try selling the track data online but you don’t get

00:01:17.780 --> 00:01:19.940
that much for each card.

00:01:19.940 --> 00:01:25.430
Carlos was, after all, a DIY kind of guy so he bought a credit card writer and a bunch

00:01:25.430 --> 00:01:27.430
of blank credit cards.

00:01:27.430 --> 00:01:31.549
He would then transfer the credit card track data to these blank cards.

00:01:31.549 --> 00:01:36.670
This allowed him to go to the store and buy stuff with these stolen cards but Carlos had

00:01:36.670 --> 00:01:42.610
a lot of stolen cards, so he got two more Florida men to help him, two guys named Yordano

00:01:42.610 --> 00:01:44.080
and Gilner.

00:01:44.080 --> 00:01:49.370
Carlos wrote about fifty credit cards to blank cards and gave them to Yordano and Gilner

00:01:49.370 --> 00:01:53.220
and sent them both to Washington state to try to cash in on this.

00:01:53.220 --> 00:01:57.120
The theory was that Washington was on the opposite side of the US from Florida which

00:01:57.120 --> 00:02:00.760
was far away from Carlos, giving him a perceived security buffer.

00:02:00.760 --> 00:02:06.780
But on top of that, he made them go to Spokane, Washington which is far away from Seattle

00:02:06.780 --> 00:02:11.610
where the FBI or Secret Service might be stationed and looking for this kind of activity.

00:02:11.610 --> 00:02:16.250
Spokane was just far enough away from the feds and just big enough to have enough unique

00:02:16.250 --> 00:02:18.900
stores around town to do this.

00:02:18.900 --> 00:02:23.500
The plan was to buy as many gift cards as possible with these stolen cards.

00:02:23.500 --> 00:02:28.599
The two men started buying tons of gift cards, like $200 pre-paid VISA cards.

00:02:28.599 --> 00:02:30.110
They did this, a lot of this.

00:02:30.110 --> 00:02:34.940
They bought tons of gift cards with these stolen credit cards that Carlos gave them.

00:02:34.940 --> 00:02:39.010
See, gift cards don’t have a name attached to them so it’s much easier to use them

00:02:39.010 --> 00:02:40.810
anonymously or sell them.

00:02:40.810 --> 00:02:43.280
It’s a way to launder the money.

00:02:43.280 --> 00:02:47.260
The plan was going great and Carlos, back in Florida, was telling them he’d buy all

00:02:47.260 --> 00:02:52.150
the gift cards for half price, giving everyone a nice cut of the whole operation.

00:02:52.150 --> 00:02:56.420
The math still works out; if Carlos could get $100 per stolen card, that’s still way

00:02:56.420 --> 00:02:59.090
more than selling them on the black market.

00:02:59.090 --> 00:03:00.230
Everyone here was happy.

00:03:00.230 --> 00:03:04.830
[MUSIC] But then, one of the stolen cards happened to be stolen by someone who lived

00:03:04.830 --> 00:03:06.090
in Washington state.

00:03:06.090 --> 00:03:09.530
They saw this fraudulent purchase and immediately reported it.

00:03:09.530 --> 00:03:15.310
Quickly, the authorities got the CCTV footage of the store and saw Yordano and Gilner buying

00:03:15.310 --> 00:03:16.360
these gift cards.

00:03:16.360 --> 00:03:21.480
The authorities found what hotel the two were staying in and arrested them.

00:03:21.480 --> 00:03:26.870
The cops found a total of $35,000 in gift cards in their hotel room.

00:03:26.870 --> 00:03:32.780
Both were found guilty of credit card fraud but Carlos was still back in Florida.

00:03:32.780 --> 00:03:37.269
He wasn’t quite in the clear, though; he was brought to Washington and charged as a

00:03:37.269 --> 00:03:42.019
conspirator but with a typical trial, he was placed on a standard release condition until

00:03:42.019 --> 00:03:43.939
his trial began.

00:03:43.939 --> 00:03:47.340
He went back home to Florida to wait for the trial.

00:03:47.340 --> 00:03:51.100
Now, this is where Carlos, our Florida man, really shines.

00:03:51.100 --> 00:03:55.780
While on release for his trial for credit card fraud, Carlos continued to make skimmers

00:03:55.780 --> 00:03:58.879
and put them on gas pumps all over Miami.

00:03:58.879 --> 00:04:03.390
He would continue to scrape the data off these devices, stealing more and more cards while

00:04:03.390 --> 00:04:05.170
waiting for his trial.

00:04:05.170 --> 00:04:09.300
The police searched his apartment and found even more stuff than he originally was charged

00:04:09.300 --> 00:04:12.120
with and this brought all-new charges against him.

00:04:12.120 --> 00:04:15.239
He was found guilty in both Washington and in Florida.

00:04:15.239 --> 00:04:20.489
He had to serve a 30-month sentence for his crimes in Washington and Florida gave him

00:04:20.489 --> 00:04:24.669
an additional 144-month prison sentence.

00:04:24.669 --> 00:04:30.490
This Florida man was going to serve a total of fourteen years in prison for skimming credit

00:04:30.490 --> 00:04:31.570
cards.

00:04:31.570 --> 00:04:36.560
That case is closed; there’s no more skimming going on in Miami now, right?

00:04:36.560 --> 00:04:38.620
No, not exactly.

00:04:38.620 --> 00:04:43.039
Skimming like this is growing in popularity and in fact, the Secret Service has seen such

00:04:43.039 --> 00:04:48.470
a problem with it that they had to enact Operation Deep Impact to combat this.

00:04:48.470 --> 00:04:52.710
Due to its popularity, it’s not just credit card readers anymore.

00:04:52.710 --> 00:04:58.949
This problem of credit card skimming has now infected the online world, too.

00:04:58.949 --> 00:05:05.360
JACK (INTRO): [INTRO MUSIC] [00:05:00] These are true stories from the dark side of the

00:05:05.360 --> 00:05:07.110
internet.

00:05:07.110 --> 00:05:12.360
I’m Jack Rhysider.

00:05:12.360 --> 00:05:16.509
This is Darknet Diaries.

00:05:16.509 --> 00:05:25.640
[INTRO MUSIC ENDS]

00:05:25.640 --> 00:05:31.970
JACK: As I was saying, credit card skimming isn’t just at the pump; it’s happening

00:05:31.970 --> 00:05:35.520
online in ways that you might not be aware of and I want to talk about it.

00:05:35.520 --> 00:05:38.850
Today, we’re gonna talk to one of the leading researchers of this problem.

00:05:38.850 --> 00:05:43.720
JON: My name is Jonathan Klijnsma and I’m the head of threat research for RiskIQ.

00:05:43.720 --> 00:05:45.870
JACK: Is it Yonathan or Jonathan?

00:05:45.870 --> 00:05:48.660
JON: Technically Yonathan but we say Jonathan.

00:05:48.660 --> 00:05:51.259
I’m Dutch so the pronunciation goes two ways.

00:05:51.259 --> 00:05:54.880
JACK: Okay, so Jonathan works for this company called RiskIQ.

00:05:54.880 --> 00:05:56.539
What they do is nothing short of amazing.

00:05:56.539 --> 00:06:00.750
JON: I’m the head of threat research within RiskIQ.

00:06:00.750 --> 00:06:06.650
RiskIQ, what we do, is we do data collection and one of the biggest points of data collections

00:06:06.650 --> 00:06:08.380
for us is web crawling.

00:06:08.380 --> 00:06:10.540
We deal with about two billion pages a day.

00:06:10.540 --> 00:06:14.180
It’s not just like sending Wget to a website.

00:06:14.180 --> 00:06:17.620
It’s a custom-made engine running JavaScript, interpreting JavaScript.

00:06:17.620 --> 00:06:23.650
JACK: Jonathan has this insane web crawling bot that goes out to two billion websites

00:06:23.650 --> 00:06:24.650
a day.

00:06:24.650 --> 00:06:27.849
[MUSIC] It goes to Alexa’s top two million and then spiders out from there.

00:06:27.849 --> 00:06:30.389
He’s able to do research on what he finds.

00:06:30.389 --> 00:06:34.389
He can filter it, organize it, compare it, alert on it.

00:06:34.389 --> 00:06:38.919
What he’s looking for is malicious activities on these websites.

00:06:38.919 --> 00:06:43.310
This is what a threat researcher might do; scour the internet looking for seriously bad

00:06:43.310 --> 00:06:45.080
stuff to investigate on.

00:06:45.080 --> 00:06:47.169
JON: We’ve been crawling for a long time.

00:06:47.169 --> 00:06:49.800
One of our key things is history.

00:06:49.800 --> 00:06:56.620
We have a lot of that so even if we find something later on, it’s like, Antivirus products

00:06:56.620 --> 00:06:57.780
– it’s cat and mouse.

00:06:57.780 --> 00:07:02.250
If something’s completely new, done in a way that’s never been done before, nobody

00:07:02.250 --> 00:07:06.199
will detect it until they figure out what it is or until they’ve been told what it

00:07:06.199 --> 00:07:07.990
is, or until they see it.

00:07:07.990 --> 00:07:11.039
One of the things is, if we find something that we haven’t seen before, we can always

00:07:11.039 --> 00:07:14.370
go back and see when something started, when something first appeared.

00:07:14.370 --> 00:07:20.150
JACK: This, to me, is incredible because basically, Jonathan has historical records of two billion

00:07:20.150 --> 00:07:26.340
web pages that he can pull up from days ago, weeks ago, months ago, years ago.

00:07:26.340 --> 00:07:28.990
This is sort of like his own private way-back machine.

00:07:28.990 --> 00:07:33.870
He can look to see what was on those pages for as far back as years but more specifically

00:07:33.870 --> 00:07:37.460
he can look to see what malware might be on those pages.

00:07:37.460 --> 00:07:42.680
Yeah, websites can exploit your browser; if you have an outdated browser or plugin or

00:07:42.680 --> 00:07:46.080
something, a web page can take control of your browser and infect you.

00:07:46.080 --> 00:07:50.960
It does this through JavaScript or Flash or Silverlight, or some back-end language, or

00:07:50.960 --> 00:07:51.960
something else.

00:07:51.960 --> 00:07:54.620
JON: Our main point is just data collection.

00:07:54.620 --> 00:07:56.970
We can make conclusions on the data.

00:07:56.970 --> 00:08:00.070
One of the things we’re able to do is, if we point our crawl to a website, it can tell

00:08:00.070 --> 00:08:05.560
us it’s running WordPress version something with these plugins installed on an Apache

00:08:05.560 --> 00:08:11.110
server that has PHP version something and we’ll match the CVEs for example, to it.

00:08:11.110 --> 00:08:17.200
The threat research team is there to find the bad stuff so when we’re crawling a website,

00:08:17.200 --> 00:08:19.220
could be that there’s a skimmer on there.

00:08:19.220 --> 00:08:22.210
Could be that you’re being redirected to an exploit kit.

00:08:22.210 --> 00:08:28.129
Could be that there’s just some scams going on; you’re redirected to a tech support

00:08:28.129 --> 00:08:29.129
thing.

00:08:29.129 --> 00:08:34.419
JACK: Sometime back in 2015, the team at RiskIQ started noticing some interesting stuff happening

00:08:34.419 --> 00:08:35.539
to websites running Magento.

00:08:35.539 --> 00:08:41.450
[MUSIC] Magento is an E-commerce site builder, just like how you can download WordPress and

00:08:41.450 --> 00:08:43.269
have it host your own blog.

00:08:43.269 --> 00:08:46.880
Magento is the same thing but for making online stores.

00:08:46.880 --> 00:08:52.420
You download the Magento PHP bundle and it has templates and themes for how your store

00:08:52.420 --> 00:08:53.420
looks.

00:08:53.420 --> 00:08:56.700
You customize the store to make it look how you want and then you list the items you want

00:08:56.700 --> 00:08:58.790
for sale and then you publish it.

00:08:58.790 --> 00:09:03.459
Now, people can go to your Magento store, see your selection, put the items in the cart,

00:09:03.459 --> 00:09:04.610
and check out.

00:09:04.610 --> 00:09:09.080
Of course, when they check out, they enter their credit card details to buy something

00:09:09.080 --> 00:09:10.519
from you.

00:09:10.519 --> 00:09:14.329
Very cool for someone who wants to set up an online [00:10:00] shop but also comes with

00:09:14.329 --> 00:09:15.660
a risk.

00:09:15.660 --> 00:09:18.200
See, Magento itself is safe and secure.

00:09:18.200 --> 00:09:21.399
I mean, it’s owned by Adobe at this point and it’s open-source and there’s a lot

00:09:21.399 --> 00:09:23.380
of developers working on it.

00:09:23.380 --> 00:09:27.940
But there are people who quickly set up their online shop using Magento and don’t think

00:09:27.940 --> 00:09:29.630
much about the security.

00:09:29.630 --> 00:09:33.620
They think they’re done and then they focus on their product and marketing but what the

00:09:33.620 --> 00:09:37.690
shop owners fail to do is put any focus on security.

00:09:37.690 --> 00:09:42.310
If you don’t update Magento, it can become vulnerable to well-known attacks.

00:09:42.310 --> 00:09:46.680
If you don’t secure your servers that you’re hosting it on, it can leave you open.

00:09:46.680 --> 00:09:52.370
Yeah, if you don’t use strong passwords to access Magento as an admin, then yeah,

00:09:52.370 --> 00:09:53.680
you get it.

00:09:53.680 --> 00:09:59.290
Here’s the crazy part; there are over 100,000 online stores right now running Magento.

00:09:59.290 --> 00:10:04.640
Even if 1% of them didn’t have good security, that means 1,000 online stores are easily

00:10:04.640 --> 00:10:05.640
hackable.

00:10:05.640 --> 00:10:06.660
This can be a problem.

00:10:06.660 --> 00:10:10.360
It is a problem, a problem that Jonathan saw.

00:10:10.360 --> 00:10:14.589
He saw there was a particular group of hackers online looking for exploits in Magento.

00:10:14.589 --> 00:10:20.589
JON: When we were recently looking at this back in 2015, these guys would always compromise

00:10:20.589 --> 00:10:21.589
Magento.

00:10:21.589 --> 00:10:28.020
One of the files they would modify originally was mage.php which is one of the core files

00:10:28.020 --> 00:10:29.020
of Magento.

00:10:29.020 --> 00:10:31.620
They would skim you when you would go to your checkout to your cart.

00:10:31.620 --> 00:10:35.910
We had to give it a name internally to reference it and at some point, this turned into Magecart.

00:10:35.910 --> 00:10:40.570
JACK: Whoa, this group of hackers in 2015 had found their way into websites running

00:10:40.570 --> 00:10:46.079
Magento and then found where the checkout section was and put in some JavaScript to

00:10:46.079 --> 00:10:51.300
make a copy of any credit cards that were entered on that page, giving the hackers a

00:10:51.300 --> 00:10:52.750
copy of the credit card.

00:10:52.750 --> 00:10:57.990
They were doing credit card skimming on the website and the team at RiskIQ called this

00:10:57.990 --> 00:10:58.990
group Magecart.

00:10:58.990 --> 00:11:03.740
JON: [MUSIC] The skimming code is a small piece of JavaScript.

00:11:03.740 --> 00:11:08.899
It can be as small as fifteen lines but we’ve seen them up to 1,500 lines.

00:11:08.899 --> 00:11:11.839
It all depends what they’re actually doing with their skimmer.

00:11:11.839 --> 00:11:16.260
For the most part it’s very basic; you want to get payment data.

00:11:16.260 --> 00:11:22.089
But these small pieces of JavaScript are just loaded into a website and from the browser

00:11:22.089 --> 00:11:26.400
perspective, it’s just another script ‘cause browsers don’t really differentiate when

00:11:26.400 --> 00:11:27.910
to load up a web page.

00:11:27.910 --> 00:11:29.180
There’s a whole lot of stuff happening.

00:11:29.180 --> 00:11:32.030
If you’re on a mobile device, they change how the website looks.

00:11:32.030 --> 00:11:35.090
If you’re on a desktop, they change how it looks.

00:11:35.090 --> 00:11:39.910
These scripts have the same level of access to any data in the web page so once you’re

00:11:39.910 --> 00:11:44.070
entering payment data, the same script that gets you a popup to, I don’t know, submit

00:11:44.070 --> 00:11:49.529
your e-mail address or to subscribe to a newsletter, that same script also has access to this payment

00:11:49.529 --> 00:11:50.529
data.

00:11:50.529 --> 00:11:51.850
There’s no differentiation.

00:11:51.850 --> 00:11:55.790
Once these bad guys just get their script running on your website, that’s all they

00:11:55.790 --> 00:12:00.810
need ‘cause that script basically goes through everything that you see on the website and

00:12:00.810 --> 00:12:05.230
when you’re entering the payment information on your payment form, what they look for is

00:12:05.230 --> 00:12:06.430
this form.

00:12:06.430 --> 00:12:08.920
There’s different ways of identifying this form.

00:12:08.920 --> 00:12:14.080
Some of them look for really identifiable names like Payment Form or Payout or they

00:12:14.080 --> 00:12:18.690
look for fields that have names like System Number or Credit Card Number.

00:12:18.690 --> 00:12:22.690
Once they identify a form that might hold potential payment data, they wait for you

00:12:22.690 --> 00:12:28.370
to hit the button for payment which what actually happens when you do it, is you submit this

00:12:28.370 --> 00:12:32.329
data back to the website in the terms of their browser.

00:12:32.329 --> 00:12:34.360
It’s called submitting a form.

00:12:34.360 --> 00:12:39.230
These skimmers, these small pieces of JavaScript wait for you to do this.

00:12:39.230 --> 00:12:43.880
Once you do this, they quickly take your form data, send it over to their own server so

00:12:43.880 --> 00:12:45.820
they have your card data.

00:12:45.820 --> 00:12:51.370
Then they let it go through as if you normally submit your data for payment during a checkout

00:12:51.370 --> 00:12:53.370
process. JACK: Yikes.

00:12:53.370 --> 00:12:57.149
In as little of fifteen lines of JavaScript, your credit card can land in the hands of

00:12:57.149 --> 00:13:00.360
the wrong people who can then do what they want with it.

00:13:00.360 --> 00:13:04.250
If you think about what you enter on the website; you put your name, the credit card number,

00:13:04.250 --> 00:13:06.779
the expiration date, and that little code on the back.

00:13:06.779 --> 00:13:11.190
That’s more than enough for a criminal to just use to buy something else on another

00:13:11.190 --> 00:13:14.699
website or print that number to a blank card and go buy gift cards.

00:13:14.699 --> 00:13:19.029
But in order for this to work, the hackers need to put that malicious JavaScript on the

00:13:19.029 --> 00:13:21.490
website in order for it to execute.

00:13:21.490 --> 00:13:24.780
Getting it on the website isn’t always easy but there are some ways to do it.

00:13:24.780 --> 00:13:25.910
JON: A lot of different ways.

00:13:25.910 --> 00:13:30.730
Some of them breach these websites directly, so an online store can be breached directly

00:13:30.730 --> 00:13:37.910
and they’d find a way to load in the script by putting it – for example, a lot of these

00:13:37.910 --> 00:13:41.769
platforms have the option to add Google Analytics Code, for example.

00:13:41.769 --> 00:13:45.949
You can add your little snippet of Google Analytics to the footer.

00:13:45.949 --> 00:13:50.730
What they sometimes do is they add their JavaScript to this snippet for Google Analytics.

00:13:50.730 --> 00:13:54.990
There’s just a lot of different ways you can add it depending on the platform.

00:13:54.990 --> 00:14:00.610
But the way to get it on the website is you either breach it directly or you go through

00:14:00.610 --> 00:14:01.610
a third party, like I said.

00:14:01.610 --> 00:14:06.861
A lot of websites load in ads, load in live chat support from remote services, a whole

00:14:06.861 --> 00:14:08.990
bunch of different things.

00:14:08.990 --> 00:14:13.100
You can be compromised through a supply chain by which you [00:15:00] technically not have

00:14:13.100 --> 00:14:18.000
a lot of control over ‘cause you don’t control the servers for the live chat service

00:14:18.000 --> 00:14:22.139
that you have on your website, but if the bad guys get in there and they put their script

00:14:22.139 --> 00:14:25.959
in the live chat server scripts, it gets loaded with that.

00:14:25.959 --> 00:14:29.459
We’ve observed this a whole bunch of times.

00:14:29.459 --> 00:14:33.320
JACK: You might not think about the supply chain of websites but if you’re a website

00:14:33.320 --> 00:14:34.579
owner, you should.

00:14:34.579 --> 00:14:40.850
[MUSIC] Most websites today don’t just run HTML and that’s it; they also use CSS which

00:14:40.850 --> 00:14:45.600
stylizes the page and then they bring in JavaScript which brings in more features and functionality.

00:14:45.600 --> 00:14:50.089
But typically, you don’t code all this CSS and JavaScript yourself.

00:14:50.089 --> 00:14:53.820
You find a library that someone else made and bring it over.

00:14:53.820 --> 00:14:58.430
Now, you’re running code on your website that you didn’t write.

00:14:58.430 --> 00:15:03.220
When your users come to it, that JavaScript you took from some other library executes

00:15:03.220 --> 00:15:05.209
in the user’s browser.

00:15:05.209 --> 00:15:08.820
All this is fine because you’re probably using an open-sourced library that has all

00:15:08.820 --> 00:15:12.220
its bugs squashed and people are actively updating it.

00:15:12.220 --> 00:15:17.620
But here’s the thing; a lot of people who run websites don’t host this JavaScript

00:15:17.620 --> 00:15:18.620
library themselves.

00:15:18.620 --> 00:15:23.259
They just link to it so when a user comes to their site, it says oh, you need this jQuery

00:15:23.259 --> 00:15:28.190
library from this other site before you can see this page, and your browser just automatically

00:15:28.190 --> 00:15:30.740
goes to that site, gets jQuery, and runs it.

00:15:30.740 --> 00:15:34.920
But think about going to a store to buy bottled water; the store didn’t bottle the water.

00:15:34.920 --> 00:15:38.430
They ordered it from a bottling plant and then stocked it for you to buy.

00:15:38.430 --> 00:15:42.279
The store trusts that bottle of water is good and won’t make people sick.

00:15:42.279 --> 00:15:46.910
But what if someone did get into the bottling company and poison the water?

00:15:46.910 --> 00:15:50.390
Then that water gets bottled and shipped to many stores all over.

00:15:50.390 --> 00:15:52.820
This is poisoning the supply chain.

00:15:52.820 --> 00:15:55.029
The same thing can happen online.

00:15:55.029 --> 00:15:59.589
Imagine what would happen if that central JavaScript library got hacked and started

00:15:59.589 --> 00:16:04.329
hosting JavaScript libraries with credit card skimming code in it?

00:16:04.329 --> 00:16:05.329
Yikes.

00:16:05.329 --> 00:16:10.000
That’s just what happened with Magecart; the hackers were getting this malicious JavaScript

00:16:10.000 --> 00:16:12.810
into these sites through the supply chain.

00:16:12.810 --> 00:16:17.949
JON: That’s the current one we’ve seen, some 17,000 or so websites, probably a lot

00:16:17.949 --> 00:16:24.959
more by now, that are just loading content from S3 buckets that are not secured properly

00:16:24.959 --> 00:16:29.110
or incorrectly configured, basically.

00:16:29.110 --> 00:16:30.220
They end up with skimming code.

00:16:30.220 --> 00:16:35.209
JACK: The thing is, the website owners would never know if their supply chain got hacked

00:16:35.209 --> 00:16:40.440
unless they go through and look at every line of JavaScript code to confirm it’s correct,

00:16:40.440 --> 00:16:43.279
and then do that every day to make sure it hasn’t changed.

00:16:43.279 --> 00:16:47.950
Well, that’s where Jonathan and his team come in; they’re looking at this particular

00:16:47.950 --> 00:16:49.900
thing every day.

00:16:49.900 --> 00:16:51.270
What they’re seeing is staggering.

00:16:51.270 --> 00:16:56.630
There are tons and tons of websites out there that have malicious JavaScript running on

00:16:56.630 --> 00:16:58.720
them. JON: Way too many.

00:16:58.720 --> 00:17:03.290
One example I can give you, one third-party supplier that we observed hit about 100,000

00:17:03.290 --> 00:17:05.640
websites and appeared that it was affected.

00:17:05.640 --> 00:17:07.870
That’s just one third-party.

00:17:07.870 --> 00:17:13.220
JACK: Would all those websites be E-commerce?

00:17:13.220 --> 00:17:16.069
My blog doesn’t have a credit card form, you know.

00:17:16.069 --> 00:17:17.672
JON: Right, yeah, that’s one of the things.

00:17:17.672 --> 00:17:18.970
We see a lot of websites hit.

00:17:18.970 --> 00:17:21.450
It’s the same with the Amazon campaign that we see right now.

00:17:21.450 --> 00:17:26.819
A lot of sites get hit; not a lot of them actually run payment data through their website.

00:17:26.819 --> 00:17:28.230
Not all of them are E-commerce sites.

00:17:28.230 --> 00:17:33.220
While we see a lot of them get hit, it’s not always that for one, they’re processing

00:17:33.220 --> 00:17:39.169
payments or two, that the skimmer even reaches that payment or the checkout page ‘cause

00:17:39.169 --> 00:17:40.860
that’s another thing.

00:17:40.860 --> 00:17:45.870
If you set up your E-commerce site properly, you shouldn’t run ads, for example, on your

00:17:45.870 --> 00:17:46.870
checkout page.

00:17:46.870 --> 00:17:51.190
You want to avoid running any external party on your checkout page.

00:17:51.190 --> 00:17:57.679
We still see it happen, obviously, but it’s one of the advice steps we give.

00:17:57.679 --> 00:18:04.370
But from the third-parties, it isn’t always an E-commerce site but it’s kind of hard

00:18:04.370 --> 00:18:09.630
to tell you exactly how many, but it’s got to be in the hundreds of thousands, easily.

00:18:09.630 --> 00:18:14.169
JACK: Just to be clear, not all these sites that are compromised are running Magento.

00:18:14.169 --> 00:18:17.760
This is just where the term is originated from and where we get the name.

00:18:17.760 --> 00:18:22.530
The hackers have fanned out to many different platforms now but also continue to target

00:18:22.530 --> 00:18:23.530
Magento sites.

00:18:23.530 --> 00:18:25.059
JON: It’s a really prevalent problem.

00:18:25.059 --> 00:18:30.750
Web skimming is the go-to thing by now if you want to steal credit card data.

00:18:30.750 --> 00:18:35.880
It’s not as much direct breaches anymore; it’s just, get a web skimmer on a web page

00:18:35.880 --> 00:18:38.110
and you get payment data.

00:18:38.110 --> 00:18:42.430
JACK: [MUSIC] Now, while the Magecart hacking group initially started as a single group

00:18:42.430 --> 00:18:49.250
in 2015, over the last four years, it’s grown to be a common tactic used by many hackers.

00:18:49.250 --> 00:18:54.771
Jonathan originally had one Magecart hacking group but now there’s Magecart hacking Group

00:18:54.771 --> 00:18:57.929
2 and Group 3 and Group 4, and so many more.

00:18:57.929 --> 00:19:01.140
They all skim credit cards from websites.

00:19:01.140 --> 00:19:05.250
While Jonathan was researching all this and tracking all these different groups, out of

00:19:05.250 --> 00:19:07.440
nowhere, he saw this on the news.

00:19:07.440 --> 00:19:11.280
REPORTER: Hundreds of thousands of British Airways passengers have had their bank details

00:19:11.280 --> 00:19:15.580
stolen in [00:20:00] one of the biggest data breaches to hit a UK company.

00:19:15.580 --> 00:19:20.440
The airline discovered on Wednesday that bookings made between August the 21st and September

00:19:20.440 --> 00:19:25.380
the 5th had been compromised with hackers taking credit card details, along with e-mails

00:19:25.380 --> 00:19:26.450
and addresses.

00:19:26.450 --> 00:19:30.909
JACK: Even the CEO of British Airways came on TV to say what’s been stolen.

00:19:30.909 --> 00:19:37.550
CEO: We know that information that has been stolen is name, address, e-mail address, credit

00:19:37.550 --> 00:19:41.650
card information; that would be credit card number, of course expiration date, and the

00:19:41.650 --> 00:19:44.340
three-letter code on the back of the credit card.

00:19:44.340 --> 00:19:51.600
JON: On September 6th last year, they announced that they had suffered a data breach.

00:19:51.600 --> 00:19:59.230
They put up a web page, they had some, I think, interviews pre-lined up with BBC.

00:19:59.230 --> 00:20:07.200
They said they had about 380,000 affected customers and they had a really specific timeframe

00:20:07.200 --> 00:20:08.710
for it, as well.

00:20:08.710 --> 00:20:15.659
They said there was theft of customer data between 10:58 British Standard Time, August

00:20:15.659 --> 00:20:21.220
21st until 9:45 British Standard Time, September 5th.

00:20:21.220 --> 00:20:27.710
There was a really specific timeframe and they basically said if you believe you may

00:20:27.710 --> 00:20:32.050
be affected because you made a booking or paid to change a booking with a credit card

00:20:32.050 --> 00:20:37.130
or debit card on ba.com or the mobile app between these and these dates, we recommend

00:20:37.130 --> 00:20:39.130
that you contact your bank.

00:20:39.130 --> 00:20:44.780
For us, when they started saying credit card, debit card, ba.com or mobile app, something

00:20:44.780 --> 00:20:49.419
told us like maybe something’s going on, ‘cause we were expecting that at some point,

00:20:49.419 --> 00:20:52.030
something big would happen.

00:20:52.030 --> 00:20:58.860
We took the fact that they said ba.com was affected, their mobile app was affected, and

00:20:58.860 --> 00:21:00.919
they had a really, really specific on-the-minute timeline.

00:21:00.919 --> 00:21:06.670
The end time you can understand ‘cause that will be they investigated and they cleaned

00:21:06.670 --> 00:21:08.559
up, so they will know once they cleaned up.

00:21:08.559 --> 00:21:11.640
But they had a very specific timeline for when it started.

00:21:11.640 --> 00:21:16.880
JACK: Now, keep in mind that the web crawlers at RiskIQ have been going out to British Airways

00:21:16.880 --> 00:21:21.809
websites for years, taking a snapshot of everything there, day after day.

00:21:21.809 --> 00:21:24.770
British Airways was not saying how they were hacked.

00:21:24.770 --> 00:21:29.460
Even to this day, they never told us how the hackers stole all these credit cards but Jonathan

00:21:29.460 --> 00:21:34.279
wanted to find out and he was in the perfect position to look back at the history of the

00:21:34.279 --> 00:21:39.120
British Airways website to see if he could find out what happened for himself.

00:21:39.120 --> 00:21:40.929
After the break, we’ll hear what he finds.

00:21:40.929 --> 00:21:41.929
Stay with us.

00:21:41.929 --> 00:21:50.000
JON: What we started to do is just, okay, within the timeframe, let’s first find what

00:21:50.000 --> 00:21:51.720
actually happens.

00:21:51.720 --> 00:21:58.779
[MUSIC] They said August 21st until September 5th, so let’s grab all our call data and

00:21:58.779 --> 00:22:03.530
go through their website and just see what happened during that time and was there a

00:22:03.530 --> 00:22:09.380
change before that timeframe to within that timeframe, and was there anything really specific?

00:22:09.380 --> 00:22:13.549
We were going through crawls, a whole bunch of crawls.

00:22:13.549 --> 00:22:19.179
We started going through it and we noticed a change in the file and specifically, the

00:22:19.179 --> 00:22:22.720
file was a JavaScript library called Modernizr.

00:22:22.720 --> 00:22:27.429
Modernizr in itself is nothing super interesting; it’s a way to make sure that your website

00:22:27.429 --> 00:22:29.299
will work on older and newer browsers.

00:22:29.299 --> 00:22:30.500
It helps you with that.

00:22:30.500 --> 00:22:35.120
But one of the things we noticed, that before this date that they gave – so, they said

00:22:35.120 --> 00:22:37.770
it started on August 21st.

00:22:37.770 --> 00:22:40.740
When we went to the timeframe the British Airways said they were affected, the file

00:22:40.740 --> 00:22:46.570
had been modified on the 21st of August, exactly the timeframe that they gave.

00:22:46.570 --> 00:22:51.100
But we were looking at the file ‘cause it was modified and we noticed that the technique

00:22:51.100 --> 00:22:57.299
that we observed so many times at the bottom of this JavaScript library, they added a really,

00:22:57.299 --> 00:23:03.510
really, really tiny script and they made it even smaller by minimizing it but if you wrap

00:23:03.510 --> 00:23:07.390
it out and you look at it, it was about twenty-two lines of JavaScript.

00:23:07.390 --> 00:23:10.840
It was very, very small.

00:23:10.840 --> 00:23:14.120
The skimmer then would go through the payment form and [00:25:00] pull out the data and

00:23:14.120 --> 00:23:15.120
send it off.

00:23:15.120 --> 00:23:18.780
They did it in a very simple way.

00:23:18.780 --> 00:23:22.940
The reason for that is, they just grabbed it, push it out to the server, and once we

00:23:22.940 --> 00:23:26.350
have it, we’ll go through it, sort it and clean it out, and do all of that.

00:23:26.350 --> 00:23:30.750
Their point was just, we need to make sure that somebody’s doing a payment, and then

00:23:30.750 --> 00:23:32.049
just send off all the data.

00:23:32.049 --> 00:23:33.260
We can scrub it later.

00:23:33.260 --> 00:23:37.340
Just try to get as much while we have this organization breached.

00:23:37.340 --> 00:23:43.279
They changed just one JavaScript file and there are maybe a hundred different files

00:23:43.279 --> 00:23:45.210
on that – for the website, for ba.com.

00:23:45.210 --> 00:23:49.730
It’s a big website; there’s a lot of libraries, there’s a lot of stuff going on.

00:23:49.730 --> 00:23:54.350
They modified just this file ‘cause they had figured out that both mobile transactions

00:23:54.350 --> 00:23:58.960
as well as desktop transactions would load in this file.

00:23:58.960 --> 00:24:06.100
They had done their homework; they really figured out what – the cross-action between

00:24:06.100 --> 00:24:08.679
mobile payments and mobile desktop payments.

00:24:08.679 --> 00:24:10.740
It was this file that was always loaded.

00:24:10.740 --> 00:24:13.380
They took their time to figure this out.

00:24:13.380 --> 00:24:15.360
They went in, they breached BA.

00:24:15.360 --> 00:24:17.530
We don’t know how but they breached BA.

00:24:17.530 --> 00:24:23.380
They went on the server and they added their teeny, tiny snippet of code to this Modernizr

00:24:23.380 --> 00:24:24.380
library.

00:24:24.380 --> 00:24:32.179
When BA confirmed, 380,000 people were affected just by this web skimming attack.

00:24:32.179 --> 00:24:34.070
JACK: Whoa.

00:24:34.070 --> 00:24:35.210
This is crazy.

00:24:35.210 --> 00:24:41.700
That skimmer was only on BA’s website for a month which is a big haul for using such

00:24:41.700 --> 00:24:47.049
a little piece of code, and to hide it by sticking it in a well-known library that you

00:24:47.049 --> 00:24:50.510
didn’t write means you’ll probably never know it’s there.

00:24:50.510 --> 00:24:55.140
Now, we don’t know how BA discovered this but what typically happens is when people

00:24:55.140 --> 00:24:59.500
start using the cards fraudulently, they get reported and then the credit card companies

00:24:59.500 --> 00:25:04.559
will do a report on the reported cards to try to find a common purchase point.

00:25:04.559 --> 00:25:08.059
This will then narrow down where they think the credit card breach might have occurred

00:25:08.059 --> 00:25:10.240
and notify that company.

00:25:10.240 --> 00:25:14.940
This might have been how BA discovered this but still today, there’s been no explanation

00:25:14.940 --> 00:25:18.970
on how BA discovered this or how the hack happened, or what happened, really.

00:25:18.970 --> 00:25:23.520
JON: British Airways never explained exactly what happened.

00:25:23.520 --> 00:25:27.960
They tried to avoid it in any kind of media engagement.

00:25:27.960 --> 00:25:31.899
If you look at what they did PR-wise, they basically tried to flush it out with other

00:25:31.899 --> 00:25:32.899
news.

00:25:32.899 --> 00:25:37.320
They tried as hard as possible to make sure that nobody was talking about this.

00:25:37.320 --> 00:25:41.190
Until this day, we still don’t know exactly what happened internally.

00:25:41.190 --> 00:25:45.850
JACK: The CEO said they would reimburse anyone who was a victim of credit card fraud from

00:25:45.850 --> 00:25:46.850
this.

00:25:46.850 --> 00:25:48.700
That seemed to be the end of this incident.

00:25:48.700 --> 00:25:53.399
It quietly fell off the news cycles and disappeared until this year.

00:25:53.399 --> 00:25:57.299
[MUSIC] In 2019, the ICO had one last say in the matter.

00:25:57.299 --> 00:26:01.470
The ICO is a regulatory body in the UK, sort of like the Federal Trade Commission in the

00:26:01.470 --> 00:26:02.470
US.

00:26:02.470 --> 00:26:06.899
They investigated this and thought British Airways wasn’t following proper regulations

00:26:06.899 --> 00:26:08.539
regarding online security.

00:26:08.539 --> 00:26:13.929
The ICO found that over 500,000 user details were stolen from this hack.

00:26:13.929 --> 00:26:18.970
After their investigation, they found that British Airways wasn’t following proper

00:26:18.970 --> 00:26:28.669
GDPR policies and gave them a fine totaling $237,000,000 US dollars, or £183,000,000

00:26:28.669 --> 00:26:30.620
British pounds.

00:26:30.620 --> 00:26:40.590
This is a record-high fine for anyone violating GDPR but $237,000,000 is just 1.5% of their

00:26:40.590 --> 00:26:43.030
earnings during the year they were breached.

00:26:43.030 --> 00:26:47.789
It’s enough to make BA notice this but I’m not sure if it’ll hurt them that much in

00:26:47.789 --> 00:26:50.779
the long run.

00:26:50.779 --> 00:26:58.770
[MUSIC] Now that Jonathan has been studying this Magecart hacking group for a few years

00:26:58.770 --> 00:27:04.029
and he saw exactly what happened with British Airways, he was able to take this knowledge

00:27:04.029 --> 00:27:09.669
and searched his database of cashed websites to see if this same group might be hacking

00:27:09.669 --> 00:27:10.669
another website.

00:27:10.669 --> 00:27:18.340
JON: We know that this group, for them, this web skimming is a tool in their arsenal.

00:27:18.340 --> 00:27:23.600
It was a week later; we published British Airways and then a week later we were looking

00:27:23.600 --> 00:27:24.600
at this.

00:27:24.600 --> 00:27:29.590
JACK: They did find the same skimming code on another website.

00:27:29.590 --> 00:27:31.970
This time, it was on the website newegg.com.

00:27:31.970 --> 00:27:36.840
JON: The thing is, I’m not from the US.

00:27:36.840 --> 00:27:41.700
I’m Dutch so I’ve been looking at this, not being aware that Newegg was a big thing

00:27:41.700 --> 00:27:45.540
‘cause I’d never actually heard of it and it was just one of the many hits that

00:27:45.540 --> 00:27:49.210
we were looking at when we go through our data.

00:27:49.210 --> 00:27:52.760
JACK: Newegg is one of the largest retailers in the US.

00:27:52.760 --> 00:27:55.770
In 2016, they made 2.6 billion dollars.

00:27:55.770 --> 00:27:59.440
It’s one of the top ten biggest online stores in the US.

00:27:59.440 --> 00:28:01.600
They mostly sell computers and computer parts.

00:28:01.600 --> 00:28:04.860
In fact, I’ve ordered many, many things from Newegg.

00:28:04.860 --> 00:28:08.260
JON: What happened there was it was another breach.

00:28:08.260 --> 00:28:11.700
Newegg has kind of a different payment process.

00:28:11.700 --> 00:28:16.700
This is again where you can see that these guys [00:30:00] are quite smart about it.

00:28:16.700 --> 00:28:22.899
We noticed that on August 13th, they registered a domain called neweggstats.com.

00:28:22.899 --> 00:28:26.190
It was registered on August 13th.

00:28:26.190 --> 00:28:31.559
Going through our data on the Newegg website, one of the things we noticed is that the checkout

00:28:31.559 --> 00:28:35.429
process is a little bit more elaborate than BA.

00:28:35.429 --> 00:28:41.150
Their process goes that, you need to go through the store, put a product in your shopping

00:28:41.150 --> 00:28:42.230
cart.

00:28:42.230 --> 00:28:46.899
You go to the first step of the checkout which is where you enter your delivery information

00:28:46.899 --> 00:28:49.490
like your billing address and your shipping address.

00:28:49.490 --> 00:28:51.010
Then you click Next.

00:28:51.010 --> 00:28:58.150
You go to a new page and this is where, actually, you go and put in your payment information.

00:28:58.150 --> 00:29:02.800
In that page, directly in there, it wasn’t a JavaScript library like with British Airways.

00:29:02.800 --> 00:29:07.649
They had put an additional script tag and they added some additional scripts.

00:29:07.649 --> 00:29:08.780
This one was fifteen lines.

00:29:08.780 --> 00:29:10.470
It was slightly smaller.

00:29:10.470 --> 00:29:16.130
They had condensed their code a little bit but again, this script would look for a really

00:29:16.130 --> 00:29:17.650
specific button.

00:29:17.650 --> 00:29:20.169
This one was specific to the Newegg checkout.

00:29:20.169 --> 00:29:24.409
Again, it would do the desktop payments and mobile payments.

00:29:24.409 --> 00:29:29.399
JACK: By adding fifteen lines of JavaScript, the hackers were scraping every credit card

00:29:29.399 --> 00:29:33.870
entered into Newegg’s site and because this site was so popular, they must have been getting

00:29:33.870 --> 00:29:37.929
tens of thousands of credit cards a day; maybe much more than that.

00:29:37.929 --> 00:29:42.029
What’s worse is that Newegg had no idea this was going on.

00:29:42.029 --> 00:29:45.500
Jonathan and his research team saw this while it was happening.

00:29:45.500 --> 00:29:49.950
The hackers were live on Newegg sites, scraping every card they saw.

00:29:49.950 --> 00:29:54.110
The team realized this was a big site and even though they found skimmers on thousands

00:29:54.110 --> 00:29:58.510
of other sites, this one was really big and actually so big that they wanted to do more

00:29:58.510 --> 00:30:01.400
research about this and reach out to the site.

00:30:01.400 --> 00:30:05.279
Jonathan and his team moved quickly; they grabbed all the details they could and gave

00:30:05.279 --> 00:30:06.980
all the information to Volexity.

00:30:06.980 --> 00:30:12.010
I don’t know exactly why they worked with Volexity but this is a company they trust

00:30:12.010 --> 00:30:14.299
and it does incident response.

00:30:14.299 --> 00:30:18.990
Volexity took this data and reached out to Newegg to tell them about this problem, and

00:30:18.990 --> 00:30:23.720
probably said at the same time hey, if you want help cleaning it up, we can help you.

00:30:23.720 --> 00:30:26.770
Within a short time after that, Newegg had their site cleaned up.

00:30:26.770 --> 00:30:31.399
In total, the hackers had their skimmer code on the Newegg website for a total of thirty-three

00:30:31.399 --> 00:30:32.399
days.

00:30:32.399 --> 00:30:36.299
JON: We were at the party with which we published, Volexity.

00:30:36.299 --> 00:30:39.140
They ended up talking with them directly to inform them.

00:30:39.140 --> 00:30:42.260
We were doing this over the weekend to inform them.

00:30:42.260 --> 00:30:45.140
Then they got it cleaned up.

00:30:45.140 --> 00:30:50.490
They were informed but they never made a very big public statement and up to date, I don’t

00:30:50.490 --> 00:30:56.210
know if they’ve done one but even then, there hasn’t been any update on it since.

00:30:56.210 --> 00:30:59.760
JACK: There aren’t any good articles online where Newegg admitted to this.

00:30:59.760 --> 00:31:04.880
All I found was this tweet where Newegg said quote, “Yesterday, we learned one of our

00:31:04.880 --> 00:31:09.010
servers had been injected with malware which was identified and removed from our site.

00:31:09.010 --> 00:31:14.030
We’re conducting extensive research to determine exactly what info was obtained and we’re

00:31:14.030 --> 00:31:16.730
sending e-mails to customers potentially impacted.

00:31:16.730 --> 00:31:17.750
Please check your e-mail.”

00:31:17.750 --> 00:31:18.750
End quote.

00:31:18.750 --> 00:31:22.539
I’m concerned about this; I’m a customer of Newegg and I had no idea this happened

00:31:22.539 --> 00:31:24.679
until I talked to Jonathan here.

00:31:24.679 --> 00:31:28.019
Newegg didn’t e-mail me about this breach and I don’t even think they knew about it

00:31:28.019 --> 00:31:30.650
until Jonathan found this and told them.

00:31:30.650 --> 00:31:33.720
There’s very little from Newegg talking about this at all.

00:31:33.720 --> 00:31:37.950
When a company doesn’t own up to the bad stuff that happens to them, it just makes

00:31:37.950 --> 00:31:40.990
me wonder what other stuff they’re hiding.

00:31:40.990 --> 00:31:45.230
If they had other breaches, they probably wouldn’t have told anybody about those,

00:31:45.230 --> 00:31:46.230
either.

00:31:46.230 --> 00:31:49.730
What shady stuff might they be doing with our user data?

00:31:49.730 --> 00:31:55.710
Now I’m reading that until 2016, Newegg was an American company but then, a Chinese

00:31:55.710 --> 00:31:58.630
company bought a majority stake in Newegg.

00:31:58.630 --> 00:32:03.429
Now it’s under Chinese control.

00:32:03.429 --> 00:32:09.769
Oh, Newegg. [00:35:00] [MUSIC] I once had my bicycle stolen.

00:32:09.769 --> 00:32:13.720
I was stupid and I left it at the train station for six hours with a cheap lock.

00:32:13.720 --> 00:32:17.000
I came back and the lock was cut; the bike was gone.

00:32:17.000 --> 00:32:20.120
The first place I looked for this stolen bike was Craigslist.

00:32:20.120 --> 00:32:24.669
This is where people sell their old stuff and yeah, I’m sure a lot of it is stolen.

00:32:24.669 --> 00:32:28.480
I didn’t ever see my bike again but it was worth a look.

00:32:28.480 --> 00:32:33.059
There’s a similar thing you can do for stolen credit cards like this; when a big breach

00:32:33.059 --> 00:32:37.670
like this happens and tens of thousands of credit cards get stolen, the thieves can’t

00:32:37.670 --> 00:32:39.380
just cash out on that many cards.

00:32:39.380 --> 00:32:43.899
I mean, imagine printing ten thousand blank credit cards and standing in line at a store,

00:32:43.899 --> 00:32:46.910
trying to buy every single $200 gift card you can.

00:32:46.910 --> 00:32:51.780
You’d be doing it for months and surely get caught along the way.

00:32:51.780 --> 00:32:55.750
The thieves have no choice but to sell them on the dark markets.

00:32:55.750 --> 00:33:00.990
Now, Jonathan knows this, so after a breach like this happens, he goes on a hunt to try

00:33:00.990 --> 00:33:04.570
to find where these cards are for sale.

00:33:04.570 --> 00:33:11.700
JON: [MUSIC] We don’t publically state which market it is just because there’s a lot

00:33:11.700 --> 00:33:13.179
of ongoing investigations.

00:33:13.179 --> 00:33:17.740
This is probably going to be a story that will go on for a long time but one of the

00:33:17.740 --> 00:33:24.230
ways is, there weren’t any other card sales going up at the time and a little bit after

00:33:24.230 --> 00:33:29.490
BA got cleaned up, there was a sudden dump of cards.

00:33:29.490 --> 00:33:34.800
Whenever these guys put up the sales of cards, they also list where the cards come from ‘cause

00:33:34.800 --> 00:33:39.289
it’s important for the people who buy cards to know where the cards are valid.

00:33:39.289 --> 00:33:45.260
‘Cause if you use a US card for fraud in the US, it’ll be less noticeable than if

00:33:45.260 --> 00:33:48.880
you take a US card and go to Europe and Eastern Europe and start using it there.

00:33:48.880 --> 00:33:51.870
There will be a bigger red flag than just using it in the US.

00:33:51.870 --> 00:33:55.309
There’s a lot of reason for them to want to know what was going on.

00:33:55.309 --> 00:34:01.590
When they put up this sale, about a week after BA got cleaned up, they called it XMassive

00:34:01.590 --> 00:34:05.890
and they had EU, UK, and US cards in there.

00:34:05.890 --> 00:34:07.100
They didn’t specify how many.

00:34:07.100 --> 00:34:12.570
They said high-validity, 95%, which usually means it’s a pretty – it’s a recent

00:34:12.570 --> 00:34:18.349
dump, basically ‘cause at times, cards will be invalidated if you sit too long on your

00:34:18.349 --> 00:34:23.600
card data, cards will get invalidated because people get new cards or they lose their card,

00:34:23.600 --> 00:34:24.960
they issue a new one.

00:34:24.960 --> 00:34:28.599
There’s a lot of reasons but the validity goes down quite often.

00:34:28.599 --> 00:34:31.179
This one had a high-validity rate.

00:34:31.179 --> 00:34:35.480
They said 85 to 95% which is pretty high.

00:34:35.480 --> 00:34:42.799
Then if you look at the countries, they said UK, US, Germany, Italy, Spain, Canada, France.

00:34:42.799 --> 00:34:48.940
The list just went on which meant it was a very big international organization.

00:34:48.940 --> 00:34:56.510
Now, one Intel vendor which we worked with at the time, decided to pursue some of these

00:34:56.510 --> 00:35:01.055
cards and see where they were valid from and where they were used from.

00:35:01.055 --> 00:35:05.840
[MUSIC] They ended up linking it to the BA dump.

00:35:05.840 --> 00:35:11.180
Once we got Newegg cleaned up, again, a week later, they pushed an update.

00:35:11.180 --> 00:35:14.290
They said they had – they called it US Eagle.

00:35:14.290 --> 00:35:19.720
It was the name of the dump they were selling and they said it was half a million cards.

00:35:19.720 --> 00:35:23.020
They said 90 to 95% validity.

00:35:23.020 --> 00:35:25.710
That’s really, really high.

00:35:25.710 --> 00:35:27.180
That’s high confidence.

00:35:27.180 --> 00:35:30.150
They said it was a US mix only.

00:35:30.150 --> 00:35:31.480
Only US cards.

00:35:31.480 --> 00:35:36.470
If you get half a million cards, you need to breach a big organization.

00:35:36.470 --> 00:35:40.089
They said nothing about the states or anything ‘cause a lot of times when it’s US-only,

00:35:40.089 --> 00:35:43.080
they put in the states of where the cards were from.

00:35:43.080 --> 00:35:48.690
They didn’t put any of that in but again, somebody sampled some of the cards and they

00:35:48.690 --> 00:35:53.950
ended up being able to link it back to the Newegg breach.

00:35:53.950 --> 00:35:59.990
JACK: It’s so much fun to watch the internet through a lens of how other people see it.

00:35:59.990 --> 00:36:05.940
Jonathan can see the history of two billion web pages and can find what web pages are

00:36:05.940 --> 00:36:10.990
currently being skimmed and then a week later, go and chase down those stolen cards on the

00:36:10.990 --> 00:36:11.990
dark net.

00:36:11.990 --> 00:36:15.190
It’s quite an incredible way to see things.

00:36:15.190 --> 00:36:19.089
He sees what lies just behind the front page.

00:36:19.089 --> 00:36:24.000
He watches what stirs in the darkness.

00:36:24.000 --> 00:36:29.079
It’s also fascinating to look at the supply chain of stolen cards.

00:36:29.079 --> 00:36:33.240
First, there’s a group who does the hacking to get the credit card data and then this

00:36:33.240 --> 00:36:37.700
probably gets sold super-cheap to some other group just to post it for sale.

00:36:37.700 --> 00:36:41.590
Then that gets in the hands of many people around the world who then use these stolen

00:36:41.590 --> 00:36:44.240
credit cards to make illegal purchases with it.

00:36:44.240 --> 00:36:48.359
Yeah, you might be able to buy a stolen credit card for like, twenty bucks, and then use

00:36:48.359 --> 00:36:52.850
it to buy a $200 gift card but you have a high chance of getting caught and going to

00:36:52.850 --> 00:36:57.750
jail over it because this is a serious crime in the US and specifically, the group that

00:36:57.750 --> 00:37:01.119
tracks financial fraud is the US Secret Service.

00:37:01.119 --> 00:37:05.349
Yeah, they also protect the president [00:40:00] but they spend a lot of time chasing down

00:37:05.349 --> 00:37:06.690
fraudsters, too.

00:37:06.690 --> 00:37:12.180
They take this stuff very seriously and when alerted, they can move very quickly to try

00:37:12.180 --> 00:37:16.120
to track down someone who swiped a card that’s known to be stolen.

00:37:16.120 --> 00:37:22.100
I’m sure Newegg got to know the Secret Service very well after all this was over.

00:37:22.100 --> 00:37:25.740
Now, Jonathan has been tracking these hacking groups for years.

00:37:25.740 --> 00:37:30.550
He calls them Magecart Group 1, Magecart Group 2, and so on.

00:37:30.550 --> 00:37:34.510
At least seven different distinct hacking groups are doing this kind of credit card

00:37:34.510 --> 00:37:40.290
web skimming now but I can’t find any articles saying that anyone from any of these Magecart

00:37:40.290 --> 00:37:42.140
groups have been arrested.

00:37:42.140 --> 00:37:47.560
Jonathan hasn’t been able to track down anyone to a single person because as he puts

00:37:47.560 --> 00:37:48.560
it…

00:37:48.560 --> 00:37:51.720
JON: They are criminals and, in my eyes, if you make something personal, they will make

00:37:51.720 --> 00:37:52.860
it personal.

00:37:52.860 --> 00:37:55.910
[MUSIC] I personally don’t want to know who they are.

00:37:55.910 --> 00:37:59.040
JACK: But that doesn’t stop Jonathan from trying to disrupt them.

00:37:59.040 --> 00:38:01.190
He often goes into battle with them.

00:38:01.190 --> 00:38:06.400
JON: One of the very interesting groups I have, or well, we have.

00:38:06.400 --> 00:38:08.760
We published about them a bunch of times.

00:38:08.760 --> 00:38:15.650
We call them Magecart Group 4 and they’re a very technically advanced group.

00:38:15.650 --> 00:38:21.580
We’ve been messing with them, taking down their infrastructure from time to time to

00:38:21.580 --> 00:38:26.650
force their hand, to see their attempts mess up.

00:38:26.650 --> 00:38:28.460
Just to see if we can get some more insight to them.

00:38:28.460 --> 00:38:30.440
We’ve been at this group for a long time.

00:38:30.440 --> 00:38:35.690
We took down I think about a hundred domains initially when we first decided to disrupt

00:38:35.690 --> 00:38:37.590
them completely.

00:38:37.590 --> 00:38:38.590
They set up new domains.

00:38:38.590 --> 00:38:41.000
JACK: How did you take them down?

00:38:41.000 --> 00:38:47.839
JON: We worked with Shadow Server and abuse.ch and with the registrars that have those domains

00:38:47.839 --> 00:38:48.839
registered.

00:38:48.839 --> 00:38:52.750
We have to prove that whatever’s happening on those domains is bad and is only for a

00:38:52.750 --> 00:38:53.830
bad purpose.

00:38:53.830 --> 00:38:56.590
With that, they give over DNS control for those domains.

00:38:56.590 --> 00:38:59.270
They move them away from the customers who bought them.

00:38:59.270 --> 00:39:04.030
They give DNS control and what we did is we sink-holed them with Shadow Server which is

00:39:04.030 --> 00:39:09.740
a non-profit organization which means that anybody who hits up those sink holes will

00:39:09.740 --> 00:39:12.700
end up in Shadow Server reports.

00:39:12.700 --> 00:39:17.170
What happens with those, is those are accessible for law enforcement but they will also be

00:39:17.170 --> 00:39:20.000
sent out to the owners of the IP space that’s affected.

00:39:20.000 --> 00:39:23.980
It’s sort of automated reporting on that something happened.

00:39:23.980 --> 00:39:30.569
It’s one of the ways that we try to do this reporting of Magecart-affected stores and

00:39:30.569 --> 00:39:31.569
affected infrastructure.

00:39:31.569 --> 00:39:38.079
‘Cause like I said, we can’t scale to contact 17,000 individuals to tell them that

00:39:38.079 --> 00:39:39.349
something’s going on.

00:39:39.349 --> 00:39:40.510
This was one of the ways.

00:39:40.510 --> 00:39:45.150
We took down those domains initially, made sure that they were sink-holed through Shadowserver,

00:39:45.150 --> 00:39:47.349
that reporting would go out.

00:39:47.349 --> 00:39:49.089
Those guys, again, they registered new domains.

00:39:49.089 --> 00:39:53.180
We waited a little bit and we took it down again.

00:39:53.180 --> 00:39:57.980
Same thing, they registered new domains and they started making mistakes.

00:39:57.980 --> 00:40:02.270
Because we were so actively taking it down, that they were rushed into setting up new

00:40:02.270 --> 00:40:03.620
infrastructure.

00:40:03.620 --> 00:40:08.890
They started making little mistakes which made it even easier for us to track them and

00:40:08.890 --> 00:40:12.380
track new infrastructure they had set up, and slowly piece together links.

00:40:12.380 --> 00:40:15.920
But there was a funny side effect to this, as well.

00:40:15.920 --> 00:40:19.970
[MUSIC] One of the things they were trying to figure out is how we would get to their

00:40:19.970 --> 00:40:20.970
domains.

00:40:20.970 --> 00:40:25.589
I’m not gonna explain it just because it’s a really nice trick that still works and we

00:40:25.589 --> 00:40:27.250
don’t want them to know how it works.

00:40:27.250 --> 00:40:31.349
But we were able to identify the domains the whole time and take it down.

00:40:31.349 --> 00:40:36.960
What they would do, is they’d try to figure out what part of it was going wrong.

00:40:36.960 --> 00:40:38.550
They would change the registrars.

00:40:38.550 --> 00:40:40.680
That doesn’t really matter for us.

00:40:40.680 --> 00:40:44.440
They would change where they were hosting but with that, they were moving through all

00:40:44.440 --> 00:40:48.530
kinds of IP space that if you looked around a little bit in it, you would find so much

00:40:48.530 --> 00:40:54.780
more bad things that 100%, the hosters that they were using; not per se the people that

00:40:54.780 --> 00:40:58.720
were hosting the IP space or hosting the servers but the people who would sell access to those

00:40:58.720 --> 00:41:06.130
servers for use were what we would call bulletproof hosters, or at least, criminal hosters.

00:41:06.130 --> 00:41:10.450
By going through all this IP space, they were telling us exactly where to look.

00:41:10.450 --> 00:41:14.410
Slowly, they were telling us oh, yeah, this is another piece of bad IP space that you

00:41:14.410 --> 00:41:19.109
should probably have a look and maybe blacklist a few things, take some things down.

00:41:19.109 --> 00:41:20.250
This continued on.

00:41:20.250 --> 00:41:23.800
Up ‘til to date, we still find new infrastructure from them.

00:41:23.800 --> 00:41:28.900
We’re again waiting a little bit and we’ll probably do another takedown just to keep

00:41:28.900 --> 00:41:30.730
forcing their hand.

00:41:30.730 --> 00:41:34.710
Because they’re the most advanced group, we also think they have the best throughput,

00:41:34.710 --> 00:41:40.920
not in the sense of 380,000 cards like with BA but they’re advanced enough that whatever

00:41:40.920 --> 00:41:43.870
card got skimmed gets put on sale really quickly.

00:41:43.870 --> 00:41:49.569
We think their advancement is also that they have good ways of selling out the data once

00:41:49.569 --> 00:41:51.130
they get it.

00:41:51.130 --> 00:41:52.970
Right now, we can’t do anything to them themselves.

00:41:52.970 --> 00:41:55.280
We don’t know who they are, exactly.

00:41:55.280 --> 00:42:00.400
They’re really good at setting up their infrastructure and making sure it’s really

00:42:00.400 --> 00:42:02.200
hard to link it to anybody at all.

00:42:02.200 --> 00:42:06.310
We’re just [00:45:00] here to disrupt the whole time in different ways.

00:42:06.310 --> 00:42:11.700
Sometimes it’s takedown of domains, sometimes we take down servers from them just to disrupt

00:42:11.700 --> 00:42:17.510
them, to try to stop them from being able to get to more card data.

00:42:17.510 --> 00:42:20.829
JACK: How does RiskIQ get money?

00:42:20.829 --> 00:42:21.920
How do you get paid?

00:42:21.920 --> 00:42:25.290
Because this kind of research isn’t really funded by anyone.

00:42:25.290 --> 00:42:30.140
JON: We get paid by customers who use our data as in, we have different products.

00:42:30.140 --> 00:42:36.840
One of the products is that you have raw access, or you have a web UI which gives you access

00:42:36.840 --> 00:42:41.230
to our different data sets that you can go through.

00:42:41.230 --> 00:42:47.220
We have a product where, like I said, we do the vulnerability tracking, configuration

00:42:47.220 --> 00:42:52.309
tracking for companies’ websites, we map infrastructure for companies.

00:42:52.309 --> 00:42:53.490
We have it all different ways.

00:42:53.490 --> 00:42:57.350
We also have people that just buy bulk access to APIs on our data.

00:42:57.350 --> 00:43:02.559
JACK: Now, you might be wondering as a consumer or a website owner, how can you protect yourself

00:43:02.559 --> 00:43:05.530
from these Magecart bandits?

00:43:05.530 --> 00:43:11.200
JON: As a consumer, it’s actually really hard.

00:43:11.200 --> 00:43:13.480
We don’t have a full answer for it.

00:43:13.480 --> 00:43:19.070
The one thing I would suggest is – one of the things I like to do is on the website

00:43:19.070 --> 00:43:23.260
where you can pre-store your card data, for example, one of the places where I still do

00:43:23.260 --> 00:43:24.980
transactions is Amazon.

00:43:24.980 --> 00:43:29.040
I’m very skeptical about every teeny, tiny, small store I find.

00:43:29.040 --> 00:43:34.730
But for the most part, just keep track of the expenses and keep track of your card and

00:43:34.730 --> 00:43:40.819
if there’s anything that looks off, banks are more than happy to reissue.

00:43:40.819 --> 00:43:43.970
For website owners, there’s a lot of things.

00:43:43.970 --> 00:43:48.590
There’s the high-level stuff like please don’t run ads on my checkout page.

00:43:48.590 --> 00:43:50.230
There’s no need for it.

00:43:50.230 --> 00:43:52.559
You don’t need analytics on a checkout page.

00:43:52.559 --> 00:43:58.350
Somebody navigated your website, was able to put stuff in this cart, and is doing a

00:43:58.350 --> 00:43:59.350
checkout.

00:43:59.350 --> 00:44:00.710
He doesn’t need much more at that point.

00:44:00.710 --> 00:44:05.660
With that, there’s also a lot of technical things you can do.

00:44:05.660 --> 00:44:10.320
One of the things you can do which is called Subresource Integrity, is you can give the

00:44:10.320 --> 00:44:16.950
browser a checksum, a half checksum of the file you will be loading.

00:44:16.950 --> 00:44:19.849
Now, let’s say, for example, the British Airways one.

00:44:19.849 --> 00:44:22.569
They would have had SRI on their page.

00:44:22.569 --> 00:44:24.359
The attackers would not have noticed.

00:44:24.359 --> 00:44:28.020
They would modify the file, the checksum would not have matched, and the browser wouldn’t

00:44:28.020 --> 00:44:30.230
even execute the modified library.

00:44:30.230 --> 00:44:31.460
That’s one.

00:44:31.460 --> 00:44:39.000
Another one you have is separating the payment process from the website through something

00:44:39.000 --> 00:44:41.260
like iframe sandboxing.

00:44:41.260 --> 00:44:44.619
The point is just to make sure that that payment data, the point where somebody’s entering

00:44:44.619 --> 00:44:47.660
payment data, becomes as isolated as possible.

00:44:47.660 --> 00:44:48.660
Nothing should be able to touch it.

00:44:48.660 --> 00:44:52.589
The only thing that needs to know about it is the server that’s gonna process the payment

00:44:52.589 --> 00:44:53.880
to authorize it.

00:44:53.880 --> 00:44:56.730
Isolating that is mostly key.

00:44:56.730 --> 00:45:01.000
Then there’s one thing, they’re called CSP header.

00:45:01.000 --> 00:45:02.410
It’s Content Security Policies.

00:45:02.410 --> 00:45:08.440
You can basically define where data can come from and go to from your website.

00:45:08.440 --> 00:45:14.030
One of the things is, if everybody in the world is really good at setting up CSP headers,

00:45:14.030 --> 00:45:18.349
we would have a whole lot less web skimming capabilities ‘cause they send off data to

00:45:18.349 --> 00:45:26.400
remote servers almost all the time and if you set up CSP headers to say you can only

00:45:26.400 --> 00:45:31.180
send data here, which should be your own website pretty much, it would not be able to send

00:45:31.180 --> 00:45:35.500
that data and the browser would not allow the skimmer to send out data to the remote

00:45:35.500 --> 00:45:37.290
website.

00:45:37.290 --> 00:45:41.830
Of course, caveats do this; one of the reasons why a lot of websites don’t run CSP headers

00:45:41.830 --> 00:45:45.720
or do it incorrectly is because they want to have ads.

00:45:45.720 --> 00:45:50.119
Ads reach out to a remote server who then inserts content from another remote server

00:45:50.119 --> 00:45:54.559
which it can’t know beforehand ‘cause somebody will be running an ad campaign from

00:45:54.559 --> 00:45:55.559
somewhere.

00:45:55.559 --> 00:46:00.880
It gets really complicated so a lot of websites that run ads have a hard time defining strict

00:46:00.880 --> 00:46:06.069
CSP or Content Security Policies ‘cause they just have so much content coming from

00:46:06.069 --> 00:46:07.750
everywhere.

00:46:07.750 --> 00:46:12.190
There’s a lot of different ways going through this.

00:46:12.190 --> 00:46:18.440
I think the most important part besides general security hygiene is putting in small barriers

00:46:18.440 --> 00:46:20.600
and isolating your payment data.

00:46:20.600 --> 00:46:28.030
When you’re on a payment page there shouldn’t be a whole lot of extra things happening there.

00:46:28.030 --> 00:46:33.410
It doesn’t need to look very, very pretty and like, movements and animations and all

00:46:33.410 --> 00:46:34.410
of that.

00:46:34.410 --> 00:46:38.040
Make it very simple and isolate the payment data as much as possible.

00:46:38.040 --> 00:46:40.800
JACK: Hm, it sounds like this problem is growing.

00:46:40.800 --> 00:46:44.080
It’s getting bigger and it’s not going away anytime soon.

00:46:44.080 --> 00:46:49.950
So, be safe out there because online credit card skimming will continue until security

00:46:49.950 --> 00:46:50.950
improves.

00:46:50.950 --> 00:46:55.849
JACK: I have some very sad news to add here at the end.

00:46:55.849 --> 00:46:59.550
On Jan 6th 2021 Jonathan passed away.

00:46:59.550 --> 00:47:03.280
Shortly after I interviewed him he was diagnosed with cancer.

00:47:03.280 --> 00:47:05.849
He put up the fight of his life for 15 months.

00:47:05.849 --> 00:47:07.880
He was 29 years old.

00:47:07.880 --> 00:47:12.390
I am saddened from this news and already miss him tremendously.

00:47:12.390 --> 00:47:24.580
JACK (OUTRO): [OUTRO MUSIC] A big thank you to our guest Jonathan Klijnsma for doing so

00:47:24.580 --> 00:47:26.710
[00:50:00] much research in this area and sharing it with us.

00:47:26.710 --> 00:47:27.710
Jonathan has fallen on some hard times; if his work is valuable to you, take a look at

00:47:27.710 --> 00:47:28.710
the show notes and see what you can do to help him.

00:47:28.710 --> 00:47:29.710
I know I’ll be helping.

00:47:29.710 --> 00:47:33.089
You can buy Darknet Diaries shirts and stickers at shop.darknetdiaries.com and in case you’re

00:47:33.089 --> 00:47:35.380
wondering, the shop is hosted and ran by Shopify.

00:47:35.380 --> 00:47:40.870
I don’t have enough time or confidence to run a secure E-commerce website, especially

00:47:40.870 --> 00:47:42.480
not hearing this story.

00:47:42.480 --> 00:47:45.650
They do all of it for me; I just tell them what’s for sale.

00:47:45.650 --> 00:47:50.710
Shopify, I hope you’re listening so that you can keep things secure on my store.

00:47:50.710 --> 00:47:54.520
This show is made by me, the crimson carder, Jack Rhysider.

00:47:54.520 --> 00:47:57.829
Sound design was done by the art connoisseur Andrew Meriwether.

00:47:57.829 --> 00:48:00.650
Editing help this episode by the dancing Damienne.

00:48:00.650 --> 00:48:04.510
Our theme music is by the sizzling Breakmaster Cylinder.

00:48:04.510 --> 00:48:09.319
Even though people ask me how to make money on the darknet every time I say it, this is

00:48:09.319 --> 00:48:11.770
Darknet Diaries.