Web skimming as an attack vector is continually developing. The scripts are becoming more complex, the methods of infection are becoming more sophisticated and the use of unique obfuscation is becoming more commonplace. In the realm of threat researching, the heat is always on to provide actionable intelligence from the moment an incident occurs. As the demand for open threat exchange platforms grows as a method for disseminating raw intelligence, one of the most powerful platforms for exchanging threat intelligence has taken shape right in our hands; that platform is Twitter. Intelligence produced by tracking Twitter alerts can notify blue team operations of data dumps and related breaches as they occur.
Metric data involving data breaches shows 49 percent of US companies have experienced a data breach, loss of business due to a data breach is an average of $1.42 million and it takes an average of 207 days to detect a breach. Some of the largest data breaches are not found by internal security teams, external consultants or your dark web monitoring service. Instead, they are found by a security researcher who emails, messages on LinkedIn, posts on Twitter or sometimes even through live TV.
Recent research shows that in the past 22 months there were only 24 large-scale data breaches which were discovered by internal teams, compared to 77 discovered by external sources. Most of these events were posted on social media before the companies, agencies and/or governments were aware. Out of all these statics, 4,800+ websites a month are compromised through web skimming and only a small percentage of those are found internally – you can learn more about online skimming attacks here.
Twitter’s API permits the harvesting of keywords (‘Ensighten’, ‘Magecart’ and ‘Hacking’) and hashtags (as shown below in the diagram: #databreach and #ransomware) as data points, which can be used to generate actionable intelligence. Using Twitter as a hive-mind, a collective firing of synaptic intelligence sharing, the data points gathered from Tweets through a variety of sources can both provide raw intelligence at the onset of an incident and, over time, increase the analyst’s confidence in the intel they already have.
Through applied ontology we can discover traits, trends and other behavioral data related to a target. This ontological data can reveal ties between an organization and individuals, attack methods and nation-states or even trends and attacks. While the execution of web skimming attacks is becoming more advanced, this concept may prove to be an indispensable tool in Magecart incident response and attribution in the evolving cyber landscape.
Using simple terms such as your company name, names of projects or VIP names can help maintain a daily situational awareness in your inbox waiting for you when you get to work. Some of the pictures below are the connections we were able to test and setup.
Pairing the intelligence gathered from Twitter alerts with the intelligence collected by your blue team operations can serve as a valuable source of intelligence for your Collections Management Framework. Twitter intelligence can play a complementary role in your wider security strategy – to avoid becoming the latest data breach victim, you should take a wider view and ensure you have the right solutions in place to prevent common website attack methods, such as online skimming, as company websites become a greater focus to cybercriminals.