When is a checkout page, not a checkout page? When it’s an “evil twin”! Malicious redirects can send unsuspecting shoppers to these perfect-looking fake checkout pages and steal their payment information, so could your store be at risk too? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an “evil twin” disaster. (You can read the full case study here)
In today’s fast-paced world of online shopping, convenience often trumps caution. Shoppers quickly move through product selection to checkout, rarely scrutinizing the process. This lack of attention creates an opportunity for cybercriminals to exploit.
The attack begins on a legitimate shopping site but uses a malicious redirect to guide shoppers to a fraudulent checkout page. This “evil twin” page is meticulously designed to mimic the authentic site, making it nearly impossible for the average user to detect the deception.
The only telltale sign might be a subtle change in the URL. For example:
Did you spot the missing ‘o’? This technique, known as typosquatting, involves registering domain names that closely resemble legitimate websites.
Once on the fake checkout page, unsuspecting shoppers enter their sensitive financial information, which is then forwarded to the attackers. This stolen data can be used for fraudulent transactions or sold on the dark web, potentially leading to significant financial losses for the victims.
While the specific infection method in this case study remains unclear (a common scenario in cybersecurity incidents), we can infer that the attackers likely employed a common technique such as a cross-site scripting (XSS) attack. These attacks exploit vulnerabilities in website code or third-party plugins to inject malicious scripts.
Malicious actors use code obfuscation to bypass traditional security measures. Obfuscation in programming is analogous to using unnecessarily complex language to convey a simple message. It’s not encryption, which renders text unreadable, but rather a method of camouflaging the true intent of the code.
Developers routinely use obfuscation to protect their intellectual property, but hackers use it too, to hide their code from malware detectors. This is just part of what the Reflectiz security solution found on the victim’s website:
*note: for obvious reasons, the client wants to stay anonymous. That’s why we changed the real url name with a fictional one.
This obfuscated snippet conceals the true purpose of the code, which includes the malicious redirect and an event listener designed to activate upon specific user actions. You can read more about the details of this in the full case study.
Traditional signature-based malware detection often fails to identify obfuscated threats. The Reflectiz security solution employs deep behavioral analysis, monitoring millions of website events to detect suspicious changes.
Upon identifying the obfuscated code, Reflectiz’s advanced deobfuscation tool reverse-engineered the malicious script, revealing its true intent. The security team promptly alerted the retailer, providing detailed evidence and a comprehensive threat analysis.
The retailer’s quick response in removing the malicious code potentially saved them from:
This case study underscores the critical need for robust, continuous web security monitoring. As cyber threats evolve, so too must our defenses. By implementing advanced security solutions like Reflectiz, businesses can protect both their assets and their customers from sophisticated attacks.
For a deeper dive into how Reflectiz protected the retailer from this common yet dangerous threat, we encourage you to read the full case study here.