All We Want For Christmas is You (to Protect Our Data)


Trevor Reschke Head of Threat Intelligence

2018 has been an eye-opening year on just how badly consumers are being let down when it comes to the handling of their sensitive data. Barely a week passed this year without a major company being breached, or a new hacking technique being discovered – and as a result, billions of people had their credentials stolen and released into the wild.


This year’s trends in data privacy include – but are not limited to – catastrophic breaches, the return of banking trojans, and the rise of the malicious JavaScript Magecart. We’ve also seen hackers branching out from their focus on banks, to begin targeting e-commerce sites.


The list of breaches and data leaks from this year is extensive – but here are a handful that stood out for their severity.


The Facebook Cambridge Analytica scandal, which hit headlines in March, was a watershed moment in data privacy and will have long lasting effects well beyond 2019. Data mining and propaganda machine Cambridge Analytica was reported to have illegally accessed the details of more than 50 million Facebook users – sparking outrage, a lawsuit, two million people leaving the site – and a drop in the Facebook share price which continues today. It demonstrated to the wider public that data privacy isn’t as black and white as “good guys vs bad guys” – and raised awareness of how data volunteered can also be used maliciously.


That’s not to say that cyber criminals became less of an issue in 2018. In fact, they stepped it up – bringing high-volume, vulnerable e-commerce sites into their cross hairs. This included TicketMaster, Dixons Carphone, and towards the end of the year the travel-industry took some punches.


October’s Cathay Pacific hack affected more than nine million people, and the nature of the data taken in this breach was especially worrying – as the passport information of passengers will always have an extremely high price tag on the dark web. Then for the real cherry on the cake, last month the hotel chain Marriott International revealed that it had fallen victim to a data breach on an almost unfathomable scale – affecting over 500 million customers. One of the largest breaches ever recorded in history.


While it’s definitely not the first time e-commerce sites or the travel industry were the victim of cyber criminals, it’s clear that attacking non-traditional targets came into “vogue”. In part, this is because a new hacking technique also came into vogue this year: malicious

JavaScript attacks.


The Magecart JavaScript was the main culprit here, responsible for some of the year’s biggest breaches – including British Airways, TicketMaster, Newegg and Vision Direct. Using web-based, digital card skimmers – injected directly onto the website to steal data as the customer enters it onto the payment form – the Magecart code is relatively simple to use and readily available to purchase on the dark web. This is definitely a technique to continue to watch out for in 2019.


2018 also saw the unexpected return of the old-fashioned banking trojan – but this time it came back bigger than before. For example, ‘CamuBot’ learned a trick of camouflaging as a legitimate end-user security module provided by a bank. This increased the number of successful hacks against banking customers, as the software appears trustworthy to an unsuspecting user. Like anything else, hacking techniques fall in and out of fashion – and the return of the banking trojan goes to show a new twist on an old classic. Banks process and hold vast amounts of valuable data and, therefore, will always be a target – they can’t afford to let their guard slip.


Looking Ahead to 2019


For years, the main target of hackers were companies’ databases – because that’s where the money was. Smaller scale criminals went directly after the customer, with viruses or phishing attempts. The security industry has been improving in protecting against these attacks, and in response the hackers have also innovated.


This year has seen a new approach that falls somewhere in the middle of a large database attack and attacks on the customer endpoint. Specifically, it targets the merchant’s websites. With attacks like Magecart, criminals are exploiting customers, who are the weak point, by collecting their credentials as they put them in. However, they are still managing to get away with vast amounts of data, comparable to the amount they would get if they compromised a server, because they can collect customer information in bulk from the merchant’s website that they’ve compromised.


Undoubtedly in 2019 we are going to see more Magecart-style attacks targeting credentials on the website – whether it be a bank, airline, or online vendor. In order to protect their customers, merchants will have to adopt new technology to protect from this kind of attack – protecting the transaction stack to ensure that information can’t be pulled from their website infrastructure, the cyber criminal’s new favourite target.


To find out more about how Trusted Knight can help you protect your business and your customers, click here.


Click here