Uniqlo and The Guardian among thousands of sites loading malicious code from S3

Updated 05/09/2019: Fast Retailing Co has stated that the credit card fields were contained within an iframe, which meant they would not be collected by this generic skimmer. However, the remainder of the personal information provided by customers would have still been vulnerable if at least one non-credit card field happened to match a regular expression designed to find credit card numbers. Fast Retailing has stated it has “verified its order history database records for last several years and confirmed that there are no inputs in existing orders matching a regular expression designed to find credit card numbers in any non-credit card fields. While the malicious code would have been executed by visitors, based on the information available to Fast Retailing it is unlikely that customers who successfully placed an order would have had their personal data stolen”.

Uniqlo's website was infected with a shopping site skimmer for more than a week in May this year, following the addition of malicious JavaScript. The injected code was designed to silently 'skim' part of the checkout form and send a copy of the customer's details to the criminals under certain conditions. In this case, the attack was not successful as the credit card details were not vulnerable — Uniqlo's Australian site uses an iframe-based credit card form which means it was isolated from the malicious JavaScript.

Thousands more sites have also been compromised in recent months via the same underlying vulnerability that allowed criminals to alter the behaviour of the Uniqlo website — unsecured Amazon S3 buckets. The criminals took a shotgun approach to compromising as many files as possible. They got lucky with a bucket containing JavaScript files used on Uniqlo's site, one of the most visited shopping sites on the internet.

Skimmer on Uniqlo's website

We detected that Uniqlo's Australian online shop was running malicious JavaScript on 18th May 2019. While the skimmer was active, a copy of any data that was entered during the checkout process on Uniqlo’s Australian site would have been silently sent to a dropsite operated by criminals if it matched a regular expression designed to find credit card numbers.

Personal data entered into Uniqlo Australia's checkout page would have been stolen
Personal data entered into Uniqlo Australia's checkout page may have been stolen

E-commerce is responsible for nearly 10% of Uniqlo Japan's sales and Uniqlo's parent company Fast Retailing Co is one of the world's largest and most successful retailers, worth $62 billion. Uniqlo is the most-visited online shop on which we have found a skimmer to date. This is the second attack to which Uniqlo has fallen victim in recent times; in May it was announced 460,000 users of the shopping site may have had their details stolen following a credential stuffing attack.

The criminals altered the website's behaviour by adding obfuscated JavaScript code to the all of the resources Uniqlo hosts within its S3 bucket, hoping that at least one would be loaded by the website. By deobfuscating the code, we can reveal the data it captured and to where the stolen data would have been transmitted.

The code captured every input on the page accessible to the scriptThe code captured every input on the page accessible to the script

The code was designed to capture all of the data entered by customers into the checkout form. However, customers would not have had their credit card details stolen by the skimmer, as this part of the checkout form is loaded in an isolated iframe or is processed externally via Paypal. If the injected code did not find any other customer details where at least one field matched a regular expression designed to find credit card numbers, none of the data would be stolen.

Unlike the skimming code used in the attacks against Cleor and British Airways, this JavaScript code is very generic and is designed to function on multiple websites without modification. It harvests all form fields (by looking for input, select, and textarea elements) whether or not they are part of a specific checkout form.

Stolen credentials were sent to cdn-c.com The captured data is transmitted to cdn-c[.]com The captured data is transmitted to cdn-c[.]com

At the time we discovered the attack, the Last-Modified header from the infected JavaScript files within the S3 bucket suggested that they had been harbouring malicious code since at least 13th May.

Uniqlo Australia was Uniqlo's only online shop that appeared to be affected by this attack. We alerted Uniqlo to the compromise and the malicious code was removed from the affected files on 21st May.

Unsecured S3 buckets

This type of attack — in which criminals target less-secure parts of an organisation's supply network — are known as supply chain attacks. This is not the first time supply chain attacks have been used to insert malicious JavaScript into websites. However, we have not identified the exploitation of unsecured S3 buckets to inject code intended to steal personal data entered into a website until recently.

Amazon provides customers with the ability to configure the permissions on their S3 storage with Access Control Lists (ACLs). Using ACLs, users can specify who may view, edit, delete and upload files. In Uniqlo's case, the ACL was misconfigured, allowing any user to modify any of the files within the bucket:

    {
        "Grantee": {
            "Type": "Group",
            "URI": "http://acs.amazonaws.com/groups/global/AllUsers"
        },
        "Permission": "FULL_CONTROL"
    },

The criminals took advantage of the lax permissions to add malicious code to every JavaScript file found in the S3 bucket. Uniqlo altered the permissions on the bucket after we provided them with the details of the incident.

Misconfigured permissions on S3 buckets have been the centre of a number of data leaks in the past few years with the NSA and GoDaddy among those affected.

A not-so-unique attack

The Guardian and HuffPost have also loaded compromised resources on their websites, though no customers were affected as the malicious code was loaded in an iframe. The malicious code is intended to work in resources loaded in <script> tags — when the criminals compromise other file types, the malicious code often does not work as intended. If the criminals had been targeting The Guardian, they could have inserted a very convincing phishing site into the article.

The Guardian's website served card stealing code The Guardian's website served card stealing code

Software vendors Picreel and Translation Exchange, both of whom provide resources that are loaded on their customers' sites were also compromised. By adding malicious code to just these two buckets, the criminals infected over a thousand sites.

Criminal infrastructure

In all of these cases, the criminals have used the same attack vector and malicious skimming code. We have so far seen a total of six different dropsites that receive credentials from sites compromised in this way:

Domain Registered Registrar IP Address Country Hosting Company
ww1-filecloud[.]com 2019-01-30 WebNIC 45.114.8.162 Hong Kong Cloudie Limited
font-assets[.]com 2019-04-22 Shinjiru 179.43.144.137 Panama Private Layer
cdn-c[.]com 2019-05-13 Namecheap 94.177.123.154 Russia QHoster
cdn-imgcloud[.]com 2019-05-16 Shinjiru 45.114.8.160 Hong Kong Cloudie Limited
js-cloudhost[.]com 2019-05-17 Ilovewww 45.114.8.163 Hong Kong Cloudie Limited
wix-cloud[.]com 2019-05-17 Shinjiru 94.177.123.158 Russia QHoster

This suggests that these attacks are carried out by a single criminal group as part of the same campaign. It is common for criminals to carry out campaigns with more than one dropsite as it makes it harder for their operation to be detected and stopped.

Protect yourself

It is very difficult even for the most tech-savvy consumers to spot a JavaScript skimmer when browsing, making skimmers an invisible threat to online shopping safety. Netcraft's browser extensions and Android app provide protection against online threats, including shopping site skimmers, other forms of malicious JavaScript and phishing.

Companies with customers within the EU that fail to adequately protect personal information can face severe penalties; since GDPR was implemented in 2018, fines of €20 million or up to 4% of annual global turnover can be issued to non-compliant companies. British Airways currently faces a £183m fine from the ICO following a similar attack against its customers. A number of other high-profile shopping sites have recently fallen victim, including Misfit Wearables and ARCTIC.

Netcraft offers a range of services, including web application security testing, to protect organisations and their customers against malicious JavaScript and other forms of attack.

Fake news is bigger than PayPal

Presently, the most impersonated UK institution is not a bank nor a Government department, but the Daily Mirror, which is used to promote cryptocurrency scams.

The scale of these cryptocurrency scams is substantial, such that there are currently more fake Daily Mirror front pages than PayPal phishing login forms.

An example is an article on how Richard Branson would bring "Financial Freedom for ALL UK Residents".

Fraudsters are impersonating the news websites to deliver cryptocurrency scams Fraudsters impersonate news websites to deliver cryptocurrency scams.

The general theme of these articles is how readers are able to make a small deposit into a cryptocurrency platform and leverage their algorithms to make easy money. The generally well-worded articles provide step-by-step instructions on how a reader is able to deposit their money and withdraw their supposed profits. The link at the end of these instructions typically takes the victim to a professional-looking site operated by the fraudster where they are directed to deposit their money.

Each article provides step-by-step instructions detailing how deposits can be made Each article provides step-by-step instructions detailing how deposits can be made

In general, these scams are sophisticated, make use of Geo-blocking, and serve localised content depending on the country of the reader. By visiting these sites from many different locations, we found that numerous news outlets are impersontated. For example, when visiting one of the scams from a German IP address, a German language article is served referencing Der Spiegel and Bild. When visiting from the US and Canada, a diet product scam is served instead of the cryptocurrency scam site. No scams are served when visiting from Russian IP addresses.

The scams serve country-specific content, and content targeted at certain demographics depending on where they're visited from The scams serve country-specific content and content targeted at certain demographics

Scams like these have attracted the attention of the UK's Financial Conduct Authority (FCA). In collaboration with Actionfraud, the FCA discovered a rise in the number of fraudulent online trading platforms [1]. The reported number of cryptocurrency and foreign exchange scams more than tripled in the 2018/19 financial year from 530 than 1,834. Many of the reported claims related to cryptocurrency scams.

nginx, Nginx, NGiИX, or NGINX?!

While nginx capitalizes on the demand for its high performance, recently overtaking Microsoft with its install base, its own name has also had a tendency to be capitalized. Originally called nginx, the server is today used by several commercial products that have rebranded it as NGINX. This has led to much confusion over how the name of this server should be stylised.

nginx is consistently written in lowercase on the nginx.org website – even when it is used to start a sentence, like in this paragraph. The original author of nginx, Igor Sysoev, also writes the server's name in lowercase on his own website; but most notably, the name also appears in lowercase in the HTTP Server headers of the 447 million sites that run nginx today:

HTTP/1.1 200 OK
Server: nginx/1.13.7
Date: Tue, 20 Feb 2018 11:45:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 287521
Connection: keep-alive
Vary: Accept-Encoding
Content-Language: utf-8
Last-Modified: Tue, 20 Feb 2018 11:45:38 GMT

Conversely, NGINX Inc. – which provides commercial support for nginx – stylizes the name of the open source server as NGINX. To add an earlier alternative into the mix, the company previously clarified that its own name was Nginx and that the server was NGINX; but it has since adopted the NGINX stylization for the name of its company, too.

To add further confusion, both nginx.org and NGINX Inc. use the same NGiИX logo, which uses a mixture of uppercase and lowercase Cyrillic letters:

"NGiИX" logo "NGiИX" logo

The fully-capitalized NGINX name could become a more prominent term as time goes by, especially with the new NGINX Unit product being announced on nginx.org. Similarly-branded products supported by NGINX Inc. are NGINX Plus (a software load balancer, web server and content cache built on top of the open source nginx server), the NGINX Controller monitoring and management platform, the NGINX Amplify SaaS-based monitoring tool, and the NGINX WAF (web application firewall).

nginx has also been referred to as nginx, Nginx and NGINX by Cloudflare, which uses a modified version to optimize the delivery of its customers' websites; but notably, the most recent articles on the Cloudflare blog have trended towards using the fully-capitalised name. Cloudflare also ditched the lowercase nginx from its server name recently, renaming it from cloudflare-nginx to just cloudflare, although this change was merely intended to reflect the lesser role that nginx now plays in Cloudflare's software stack.

Also bear in mind that the fully-capitalised NGINX Inc. was co-founded in 2011 by nginx's original author, who currently serves as its CTO. This could be viewed as tacit approval of the uppercase variant, but the lowercase nginx name remains far more visible today: Wix, WordPress, Groupon, Zendesk, Adobe, OpenDNS and Buzzfeed are among those listed as NGINX customers, but all of their NGINX-powered sites exhibit the lowercase nginx in Server headers.

However you write it, nginx's strong growth has turned it into the second most commonly used server on web-facing computers. However you write it, nginx's strong growth has turned it into what is now the second most commonly used server on web-facing computers.

NGINX Inc. further dilutes its branding by calling its annual NGINX user conference nginx.conf, mimicking the name of nginx's main configuration file. These lowercase legacies of nginx are likely to manifest themselves for some time yet.

With no canonical naming conventions apparent, Netcraft will continue to use the lowercase nginx to refer to the open source nginx server, as well as the group of products closely based on it (including NGINX Plus and, until recently, cloudflare-nginx). The uppercase NGINX will be used to describe products and services that are exclusively provided by NGINX Inc.

First fishy phishing sites sighted

Alliteration aside, Netcraft has found and blocked the first phishing site to be hosted on the homepage of a .fish generic top-level domain (gTLD).

Ripe for crappie puns: A single roe of malicious phishing content hosted on a .fish website.

While a few phishing sites have been found using the .fish and .fishing gTLDs before, parser.fish became the first to host malicious phishing content directly on its homepage. Fraudsters lured unsuspecting suckers to the fishy site, where a cheeky 99-char meta redirect sent them off to a separate phishing site hosted in Vietnam. This then attempted to steal online banking credentials by impersonating the French banking cooperative, BRED.

You didn't need to be a brain sturgeon to mullet over and decide this site smelt a bit fishy. You didn't need to be a brain sturgeon to mullet over and decide this site smelt a bit fishy.

This is not the first time a fishy top-level domain has been used in a phishing attack, although it is pretty rare. Since the .fish and .fishing gTLDs were delegated to the internet back in 2014, there has been barely a whiff of phishing activity on them. In fact, there hasn't been much legitimate activity, either – Netcraft's top million websites contain only one .fish domain and just a sole .fishing domain, and the entire 1.8 billion site survey contains fewer than 6,000 websites that use a .fish or .fishing domain.

A week before blocking this attack, the parser.fish domain was also home to a Netflix phishing site, but this was hosted in a subdirectory on the site and has since been taken down. The parser.fish domain has been registered through Tucows, using its Contact Privacy domain privacy service to prevent the registrant's details being displayed publicly; but this could just be a red herring and doesn't necessarily mean it was registered with fraudulent intent. The fact that the phishing content has also already been removed from its homepage suggests that the site may simply have been compromised rather than having been created specifically for the porpoise of phishing.

The only other fishy phishes in history have been hosted on legitimate (but now defunct) websites that had also been compromised. Earlier this year, a subdirectory on www.vape.fish was found hosting an ANZ phishing site, while last year a different one was found on www.hot-spot.fishing, which used to sell Russian fishing supplies.

BTC-e: Better hosting than the Feds

The btc-e.com domain – previously operated by the BTC-e Bitcoin exchange – has barely been online since being seized by the US authorities on 28 July.

The btc-e.com homepage was much faster and more reliable while it was still a cryptocurrency exchange, handling around 2.5% of all Bitcoin exchange volume. The btc-e.com homepage was much faster and more reliable while it was still a cryptocurrency exchange, handling around 2.5% of all Bitcoin exchange volume.

Since being seized, the btc-e.com domain has pointed to a different web server, hosted by 1&1 Internet in the United States. It now displays nothing more than a customary seizure notice, announcing that it has been seized as part of a joint law enforcement operation involving the FBI, IRS, DoJ, FDIC, Homeland Security and the Secret Service.

seized

But evidently, hosting a 383 KB PNG image on a static HTML page is harder than it might seem. Most requests to the new site either fail to connect, or are very slow – much slower than when the site was still operating as an exchange for Bitcoins and other cryptocurrencies. Back then, btc-e.com was served via the Cloudflare content delivery network, which explains the relatively stellar performance in the run-up to its seizure.

failed-request

The seizure of btc-e.com relates to a large-scale money laundering operation, which included Bitcoins stolen from the now-defunct Mt.Gox exchange. It is not clear whether the poor performance of the new site is simply being caused by an unsuitable hosting platform, or by deliberate protest attacks from aggrieved parties. Users who had Bitcoins tied up in BTC-e may never get them back.

Web Shells: The Criminal's Control Panel

Web shells are an overlooked aspect of cyber crime and do not attract the level of attention of either phishing or malware. Nevertheless, Netcraft found more than 6,000 web shells during April 2017, which works out at around 1 new shell installation every 5 minutes. When web shells first appeared, the limit of their functionality was to transfer files and execute arbitrary shell commands. However, the best engineered web shells now provide well presented, sophisticated toolkits for diverse crimes, with facilities for password cracking, privilege elevation, network reconnaissance, phishing, spamming and DDoS, not solely available through a web based user interface but also accepting commands as part of a botnet.

An example of the WSO shell An example of the hugely popular and feature-rich WSO (Web Shell by Orb) shell.

A number of shells offer the creation of a botnet in as little as a click, launching standalone processes that either connect to a command and control server or listen for commands over an insecure TCP connection. Some allow performing port scans to find potentially exploitable services. Others enable fraudsters to schedule denial of service attacks. There are shells dedicated to sending bulk spam emails, testing stolen credentials against popular websites (such as PayPal or Amazon), cracking passwords, and automatically defacing websites. With such a wide array of powerful features, it is unsurprising how popular web shells are with cyber criminals.

The WSO shell offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet. WSO offers both bind shell and back connect options. Selecting one of these options will launch a standalone process that will connect to or listen for a connection from a remote command and control server - an easy method for the creation of a botnet.

The prevalence of these backdoors allows easy—and potentially persistent—access to thousands of compromised machines. If the web shell is missed during the webmaster's cleanup after an attack, removing the original phishing or malware content will be in vain, as the fraudster can use the web shell to upload new malicious material, or re-purpose the machine as an accessory to alternative forms of cyber crime.

Continue reading