How and why "break" online shopping

You are an online store owner, life is beautiful and wonderful - you negotiate with suppliers or establish your own production. Specially trained people or you are engaged in promotion, contextual advertising.
The shop gradually begins to generate revenue and occupy its niche in the expanding market of online trading. And becomes a target.


Competitors.
')
Peter and Vasya sell phone cases. Peter put his soul into the store, worked the usability case, his user-path motivates to purchase. New customers appear thanks to a well-built advertising company, old ones are loyally set up and ready to buy more. Petya tried, invested time and money and began to earn.

Vasya blinded the site on his knee, stole images from the Petin site and waited for profit. Rather, he is waiting for customers, but they are not. Vasya does not understand the root cause of his failure and blames Petya. Further events develop in several scenarios:

Vasya hurt Vasya angry. Vasya orders DDoS. But usually Vasin DDoS is as clumsy as his site and Peter quickly copes with a new scourge. Vasya, after lowering his pocket money for DDoS, starts scratching his turnips. No money, Peter is thriving. What to do? Steal orders / customers!

Vasily starts reading thematic sites and downloading unfamiliar applets. Appeals to his neighbor Seryozha with a request to hack or is searching the Internet:

_{A real example from one of the "hacker" sites:}

Need to hack online store. Embed code. Redirect orders to the desired mail. Record about the order in the CMS should be absent.

Usually this kind of “hacking” comes down to phishing dropping the store owner’s mail or attempting to use XSS to remove the admin session and getting into the admin’s site:

http://xxxxxx.xxxx/contact.php?"><script>alert('XSS')<%2fscript> 

Pete, for the most part, is not particularly harmful, but delivers several unpleasant moments.

Cybercriminals.



Petya is no longer Petya, but a whole Petr Petrovich, with a staff of staff, a large number of clients and a secretary with large lists of affairs. The online store occupies a leading position, expanding the range and geography of orders. For customers there is a loyalty program, discounts and bonuses, on the site 1000 and 1 payment method, all for your favorite customers.
Naturally, there are people who want to share the profits of Peter Petrovich or try to earn on it.
There are more attack scenarios here than in the first example.

The site has good traffic and they want to “pick it up”. Accepted attempts to find vulnerabilities to fill the so-called. iframe to the site for installing exploit-pack (bundles of exploits) - a set of scripts that exploit known vulnerabilities of browsers and their components for drive-by-type attacks and delivering malicious code to visitors' computers. This can be either the usual mining of bots on a botnet, or the infection of users for extortion.

In some cases, sites attack to attack other sites or in complex attacks on systems used as a so-called. watering hole. Watering hole attacks do not affect the object of attack itself, but the involved infrastructures. In the context of Peter Petrovich, his suppliers can be attacked to steal technological secrets. It looks like this - the employees of the supplier company visit the site of Peter Petrovich and get infected with malicious code. If you give an example in real life: there is a bank, they want to rob it, for this you need to get inside, you need access cards. Nearby there is a grocery store, completely unguarded. Bank employees sometimes go there. The attackers beat the pipe on the head of all visitors to the "Products", sometimes there are bank employees, sometimes even with access cards.

The client base of the store - it can go on sale itself, can contain information necessary for attackers for various purposes, why it is needed a lot, as well as attack vectors.

In the case of professional attackers, the variability and complexity of attacks increases many times over. They attack the hosting itself or related sites - use AXFR to collect information about the zone transfer and possible subdomains of the site - with test or old versions of the site, technical instances, repositories for subsequent analysis and development of an attack on the system.

Also, they collect information using specialized services and tools - Shodan, Foca, Maltego, Harvester, and so on. data gathering.

Sometimes they just wait. Waiting for a resonant vulnerability such as Heartbleed or Shellshock, the emergence of the so-called. zero-day vulnerabilities - 0-day. Usually, the reaction of the attackers is far ahead of the reaction of the owners of the online store, and they manage to carry out the attack.

The attack vectors on the system itself are practiced from simple to complex and can be a complex operation: operating XSS / CSRF, searching and unwinding SQL-injection, to attacks on the company's service personnel.

Bruteforce attacks authorization forms and services, carried out the distribution with the use of social engineering techniques and phishing.

With the help of filtering bypassing downloadable files, so-called shell to the site to manage the compromised resource. For example, in some versions of well-known engines, through the Arbitrary File Upload class vulnerabilities, it was possible to flood any .phtml files for execution.

The “fill” .pdf file that most people do not associate at all with the ability to perform malicious actions, but may contain, for example, the following JS construct:

_{An example of malicious code delivered via the online store's ticket system as a payment order. When opening such a pdf file in the browser using an embedded POST request, an additional CMS administrator is created.}

 var a = Get("http://XXXXXXXX.XXX/admin/index.php") var sessid = (Substr(a,At(a,"token=")+7,32)) Post("http:// XXXXXXXX.XXX/admin/index.php?route=”XXXXXXXXXXXXXX” 

XXE class attacks - the introduction of XML entities, and given that XML-transport is widely used - such vectors will be worked out more and more often.

There are complex in the implementation of an attack on a class of errors (and the types of attacks that exploit them), allowing unprivileged influence on the operation of applications through the possibility of changing the public resources of temporary files), so-called "Race Condition" Race Condition. An example is LFI (locale file include) via phpinfo ().

Attacks are possible that are aimed at: the logic of the business processes and the violation of regular functionality; conducting double-sided transactions, or double-spending attacks; integration with payment gateways and merchant systems and payment modules — after the goods in the payment gateway have been paid, weak filtering of the transmitted parameters in the GET request to the module that the site provided leads to the operation of SQL-injection. Many online store owners blindly believe in the infallibility of the developers of the modules and trust their vision of security, which can lead to very poor results.

Protection.

Security issues are better to be trusted by professionals, and not to wait until thunder breaks out. You can learn more about current threats to online business at a free seminar: “How protected are online stores in Russia?” Conducted by Sitesecure with the participation of InSales , Qrator and PentestIT .

"A seminar for owners, marketers and IT specialists of online stores, which will announce the results of a study of the safety of online store websites and how they affect online store sales."

http://sitesecure.timepad.ru/event/150547/

A seminar on “How secure are online stores in Russia?” Will be held November 20, 2014 (Th), from 18:30 to 21:00 at the address: Moscow, Serebryanicheskaya Embankment, 29, 7th floor (IIDF Coworking; tceh). Participation is free.