Hunting for Next Gen Threats like Magecart, and e-Skimmers and Balancing Industry Burnout with a Second Career

We invited Matt Heff, Deputy CISO, Director of Threat Intelligence Center at SecurityMetrics, to share insights about the challenges in practicing cybersecurity and compliance. Heff explored how to bridge the gap and move forward while addressing the unfolding complexities. 

Heff shared his journey to SecurityMetrics and the role that encourages exploration and mentorship of new peers in cybersecurity. 

Heff spoke about the importance of filtering data while processing from personal biases to cater to the future. He detailed Magecart threat actors and e-skimmers shrouding e-commerce security. 

He focused on the transitioning approach to security audits and the risks of third-party scripts on shopping carts.

Read on to know what Heff spoke about RSAC conference, GRC frameworks, confusion around PCI requirements for e-commerce, and more.

Vishwa: Please share your career path that led you to SecurityMetrics. 

Heff: Everyone’s journey (including my own) into the world of cybersecurity is so unique and different. Most of us fell backwards, from starting off in IT, in order to then fall forward into a cyber career. 

I started in a time period when cyber degrees and certs did not exist. We had very few flavors of GRC frameworks to reference, and the list of threat actors could really be counted on just two hands. 

My earliest cyber experiences included responding to the TJX, Inc. breach way back in the early 2000s. Fast forward to today, and the road of life I have traveled includes many memorable experiences around the world. 

I have had memories of being in far-off countries protecting clients, while also uniquely protecting professional sporting events like the Superbowl, defending political conventions, or helping Indycars stay on the race track. 

It has been a WILD RIDE in this industry, and I am grateful for every experience. While I enjoy protecting large-sized enterprises, my proudest cyber work is happening right now. 

I wake up every day excited to get opportunities to protect small and medium-sized businesses. 

Helping the resource-challenged SMBs put up a good fight brings so much happiness to my life.

Vishwa: How do you stay current with the ever-evolving cybersecurity landscape? 

Heff: Staying current on the ever-evolving cybersecurity landscape is like walking on a bunch of pool inflatables in the ocean surrounded by Megalodon sharks. The bigger concern for me is always lifting the ship up by helping coach and mentor the next generation of cyber warriors by training their brains how to observe, process, and analyze industry trends, see the bigger picture, predict the evolution of threat actor tactics, techniques, and procedures (TTPs), and analyze the ever-evolving GRC landscape. 

This includes helping our new peers and industry colleagues critically analyze cyber news and removing their personal bias to predict the future.

Vishwa: As the Deputy CISO, Director of Threat Intelligence Center, what innovations and security measures are the most critical to you? Could you elaborate on the percentage of innovations that are AI-based? 

Heff: Right now, I’ve been very fortunate to work with our teams who create security tools that identify and prevent the latest digital ecommerce threats (such as the threat actor Magecart). 

Those digital skimmers are super nasty because many of them include malicious JavaScript code that actually disappears once the transaction is complete from inside the digital shopping cart. 

Being able to create innovative tools that help businesses see these ever-evolving digital skimming threats really brings about a source of pride and joy for our team. Embedding AI into these types of tools has enhanced our speed of detection, but has also helped us identify the constantly evolving large amount of malicious JavaScript code. 

These detection efforts are being done in a concerted effort to comply with the newest PCI requirements around e-commerce protections.

Vishwa: From a security perspective, how are the day-to-day challenges of translating compliance needs into practice addressed? What is the tricky part in practising security while meeting compliance standards? 

Heff: At the most recent RSAC conference, there were so many firms trying to bridge the gap between cybersecurity and compliance. Most firms were flavor enhancing their tools with some AI, like a Chef experimenting with different recipes. 

It was just an exhausting word salad of compliance and security buzzwords everywhere you went. 

Words like “automate compliance control mapping”, "accelerate audit readiness”, “Continual automated gap analysis”, “real-time risk-based reporting”, “visualize the risk”, “contextualize the risk”, and “become a trust management platform.” 

Literally every vendor is trying to bridge that security and compliance gap. As an industry, we are making progress; however, the tricky part is to marry the comfort from complexity. So much of the complexity is growing because businesses keep growing their footprint.

Exhaustingly, many GRC frameworks are unable to keep pace with the growing footprint. 

For example, many businesses are confused about these new PCI requirements for e-commerce that we discussed above.

Vishwa: Can attackers exploit security gaps in an organization even after passing a security audit? How is it conducted? What are the infrastructure changes required to mitigate risks further? 

Heff: We’ve all heard industry horror stories where the business approach (at some point) transitioned into a “check the box” mentality. Check the box compliance is always creeping its ugly mug around, isn't it? 

It’s so easy to lose momentum, energy, focus, or experience audit staff turnover. You could have the best audit tools, GRC platform, a budget that has not been cut (yet), or even an awesome audit partner/vendor. 

BUT if the audit team itself is lulled into this false sense of compliance complacency, then invisible danger signs become plastered around the office. When that happens - you have the very real possibility for threat actors to feast on your buffet of risk. 

Therefore, having a solid “game day manager” to continually re-energize and infuse staff with audit confidence, bombastic energy levels, and high-powered momentum can help get the risk mitigated. 

It’s the staff’s momentum that will ultimately help prioritize the risk based on the needs of the

business - even when there are confines of budget, labor, and resource restrictions. 

Keep in mind that not all risks identified in the audit are equal; therefore, a disciplined, regimented, strategic approach becomes the underlying current that should be matched with your “high-energy game day’’ manager.

Vishwa: Which attack vectors are rapidly evolving? What factors of attack vectors are analyzed after a cyber attack? What parameters are considered to understand a cyber attack by the forensic experts team? 

Heff: Much of our team’s work revolves around e-commerce attack vectors. What we currently see is a generalized lack of knowledge around what third-party scripts, plugins, and supply chain vulnerabilities are operating within a business's online shopping platform. 

Many businesses never audit their online shopping platforms. They have zero clue what scripts are running or where that code came from. 

Not having ANY visibility into these areas is highly risky to the business and its clients. Oftentimes, it’s these third-party scripts that create doorways for threat actors like Magecart to attack the shopping cart with digital skimmers. 

We are seeing an explosion and growth in online shopping cart iterative attacks. Many traditional cybersecurity threat detection tools are unable to detect these iterative attacks and sort through the e-commerce risks. 

These 3rd party scripts may come from your marketing department, finance teams, or other divisions in your company that require these scripts to run in order to collect data required for the business to be successful. 

Therefore, the shopping cart has become a garbage dump of 3rd party code that threat actors love to feast on. It can become very messy, really fast, with all these scripts operating. 

For our teams, we enjoy sorting through the mess, finding all these third-party scripts, identifying the risk while discovering the hardest to find iterative attacks that often disappear once the credit card transaction is complete, leaving very little evidence.

Vishwa: Please share anonymized data from breach investigations about Magecart threat actors targeting online shopping carts or e-commerce platforms. 

Heff: Depending on who you talk to, there are at least seven types of Magecart. Some industry vets will say more than 7. Magecart is really an umbrella term with varying e-commerce threat actors using different TTPs. 

What we generally encounter in the latest Magecart TTPs are businesses that have been breached. BUT they have been unable to identify the breach point. These businesses have investigated using their own tools, completed audits of their third-party code, have knowledgeable forensic staff, and perhaps have even consulted with outside forensic vendors, only to never find the source of the breach. 

These businesses know that credit cards and PII are missing but cannot find them. What we see is that many Magecart actors are using malicious code and scripts that will disappear once the credit card transaction is complete. 

When these businesses come to us, we find the disappearing code fast because of our unique approach to playing back the shopping cart transactions. We mixed this with a vast repository of malicious code and 3rd party scripts, and sprinkled in a layer of machine learning for faster identification.

Vishwa: Could you provide details about eSkimmers injected into websites? What are the tactics employed to steal credit card data? 

Heff: It is important to share that most e-skimming attacks are iterative. Threat actors know that if they grab everything on a large enterprise-sized ecommerce site, then they will be detected. 

The bad guys' operation will be shut down fairly quickly. Threat actors will often try to “fly below the radar” by exfiltrating a few credit cards at a time. 

They want to avoid any possible detection by card brands or the acquirers. Threat actors do not want to be identified as causing a problem on the victim’s website. It can be extremely difficult to identify, especially if you do not know what to look for or how to mitigate and correct once found. 

It can also be challenging if the business does not know all the plugins or third-party scripts running in its e-commerce infrastructure. If you do not have an inventory of everything happening in your shopping cart platform, then it can be incredibly hard to find when the checkout process is occurring in the browser. 

Provided below are just a few examples of these attacks.

Vishwa: What are your observations about new malware developed using advanced technology? What could be the target portfolio, keeping evolving malware in mind? 

Heff: The cleverness of e-commerce threat actors really is remarkable. Here are a few examples of observations we routinely see:

Example #1: An attacker may pose as a legitimate advertiser in an ad exchange network. However, every so often, they will submit a malicious script that captures any text data in the browser window or frame where it is executed and then disappears for a long time. 

Effect: This allows them to harvest credit cards from many different merchants’ websites that use that traffic exchange while not setting off any alarm bells that would trigger an investigation and get the party shut down. 

To a merchant, the only clue you may have that this is happening is a report each month from the card brands or your acquirer that you are constantly leaking a few cards each month.

Example #2: A content delivery network or cdn gets compromised, and threat actors corrupt a shared JavaScript library. If you use that code on your website for legit business purposes, a few lines of malicious code is all the attackers may need to steal your customer’s credit card as it is typed in. 

This compromised code can be extremely difficult to spot or detect.

Example #3: Threat actors are also using dedicated distributed hosts for injection and drop. These bad guys like to send your e-commerce data all over the place. 

Our team has seen compromised websites where they source the code from a compromised content delivery network. 

Threat Actors will use the compromised CDN to get the code and then capture the CDN data to send it off to a completely different compromised host.

Vishwa: Are there easily identifiable security misconfigurations or practices you may have come across that expose the digital infrastructure to risks? 

Heff: I would rather discuss the most recent NIST announcement about LEV “Likely Exploited Vulnerabilities”. This is an exciting development for our industry! 

LEV has a goal to help all of us close the gap between reported vulnerabilities (CVEs) and vulns that are actually exploited. 

I would encourage your readers to learn more about LEV and its future potential. So many vulns are often overlooked by KEV lists or EPSS scoring, therefore, we can now potentially gain a more granular understanding of vulnerability exploitation history.

Vishwa: What activities do you follow to address burnout and take care of your well-being and professional resilience after catering to the intense demands of the cybersecurity field? 

Heff: I have the unique joy of following my two passions. I enjoy disconnecting from technology and hunting for dinosaur fossils as a budding paleontologist for the Museum of Natural History in Utah.

Being able to discover new dinosaur species, playing in the dirt, and traveling to exotic locales or fossil quarries around the world helps bring balance to my chaotic cyber universe. If anyone wants to follow my dinosaur chasing adventures or see my LEGO artwork - they can do so on my Instagram feed IG: @heff.heff.cyber.