Visa turns a problem upside down to find malware

• Observes the communication behaviour of malicious central servers to find potential victims
• Analysis of 255 malicious servers led to the discovery of 2,366 previously unidentified compromises

VISA'S never ending fight against fraud has moved up another notch. Attackers are migrating from targeting brick and mortar sites to online e-commerce systems.

But this new battleground has given an opportunity for the company to detect potential breaches in a new way. "We now don't need fraud reported to find breached websites," announced Penny Lane, Visa's VP of Payment Fraud Disruption (PFD), Global Risk at the recent Visa Security Summit in Singapore.

Currently, the majority of compromised merchants are identified after card users have made reports of fraud. The credit card company analyses the data and tries to identify a common point of purchase - which can take up to several months.

What Visa PFD is doing now is radically different. They are observing servers controlled by attackers, and using traffic analysis to identify business websites that have been compromised - which usually comes as news to the business owners.

An online wiretap

One example Lane described is malware e-commerce websites. A piece of JavaScript installed on the top layer of a payment application page and executed through the user's browser. Because this works on the user's device, server logs will not detect or capture any suspicious traffic. 

This piece of JavaScript then acts as a "wiretap", sending a copy of a user's payment credentials to a central server controlled by the attackers.

However, these malicious central servers are a weakness that Visa PFD can exploit. Once such server has been identified, they can observe it to see if the server connects to a legitimate business site, and then analyse the site to see if malware is present. 

"When we go into the sites, we're not in any way hacking the merchant sites or using any privileges to get there," said Lane, explaining that they just look at the source code for the website. "It's the equivalent of driving by someone's house and seeing what colour it is."

If any signs of intrusion are detected, they will contact the business owner and advise accordingly.

A case study

In real life, their trials so far have shown positive results. In one example given, they received a tip that a pizza restaurant’s online ordering system had been breached.

By monitoring connections it made, they then realised it was a service provider breach and that 500 of the 1,500 clients connected to it were compromised by the same malware.

The pizza shop's and the service provider's systems were patched within eight business days. By analysing server transactions, it was determined that the original attack occurred 23 days earlier, but the issue was resolved without a single case of fraud being reported.

Lane estimated that if this threat had gone undetected, it had the potential to expose an estimated 225,000 accounts per month. Turning a problem upside-down, it seems, works.

"We're going from the bad guys and find our way down, rather than from the money lost and going back up," said Lane.

Greater threats ahead

Lane said that the programme is still in its early stages, but the results look promising. As of this moment, an analysis of 255 malicious servers led to the discovery of 2,366 previously unidentified compromises in nine months.  "Frankly, we're overwhelmed by the number of breached websites we've found."

Apart from the skimming described earlier, Visa PFD also discovered malware that use your computer's resources for crypto mining, and even those capable of device infection (by using a popup requesting users to "update" a popular browser plug-in).

With the potential volume and complexity of the threat that faces them, Lane admitted that the eventual aim will be to have the whole workflow automated. She also stressed that this was only one of several initiatives run by Visa PFD to neutralise the threats facing them.

"We're going after the threat actors, we're trying to keep them on their toes as much as possible, we're disrupting their activities, we're going after them with law enforcement."

Related Stories:

Uncertain what the future brings, Visa prepares to face all challenges

Cryptomining malware – silent but deadly

ThreatMetrix: Cyber-attacks more complex, more frequent and global in nature

For more technology news and the latest updates, follow us on Facebook, Twitter or LinkedIn