Case Study: Cybersecurity Incident at BestDealsForYou.com

Scenario

A security breach occurred at bestdealsforyou.com, a website that sells deals on a variety of products. The malware attack was instigated by a former employee who exploited the website's security weaknesses. The individual used a brute force attack method, repeatedly putting known default passwords for the admin account until they gained access.

Once they got access, they went into the admin panel and they embedded a javascript function in the source code. The code asked visitors to download and run a file once they visited the website. After embedding the malware, the former employee changed the password to the admin account. This file contained malware that redirected the users to a counterfeit version of the website, greatdealsforyou.com.

Several hours after the attack, multiple customers emailed bestdealsforyou.com’s helpdesk. They said that the company’s website asked them to download a file to access free deals. The customers also stated that after downloading the file the website address changed and their computers started running slow.

Investigation

An investigation was launched,  a sandbox environment was created to observe the website behavior . Using, tcpdump, I captured and analyzed the network traffic when visiting the website. I was prompted to download a file saying that it would give me access to free deals, I then downloaded and ran it. The browser than redirected me to a fake website.

Here is a breakdown of the log:

 

1. DNS Request and Response from bestdealsforyou
The computer is asking the DNS server to translate the website name bestdealsforyou.com into an IP address that it can understand and connect to. The DNS server responds with the IP address 203.0.113.22. 

2. HTTP Request and Response
Next, the computer sends a request to connect to bestdealsforyou.com using HTTP, which is the usual protocol websites use to send and receive information. The website accepts this request and establishes a connection.

3. HTTP GET Request
Here the browser is asking bestdealsforyou.com to send the data for its homepage. This could be where the malicious file download is happening.

4. DNS Request and Response
The computer makes another DNS request, but this time for greatdealsforyou.com. The DNS server responds with a different IP address, 192.0.2.172.

5. HTTP Request and Response 
The computer starts communicating with greatdealsforyou.com, which is the fake website. This is where the redirection from bestdealsforyou.com to greatdealsforyou.com happens.

Virus Removal 

1. Disconnect the website from the network. 

2. Locate and removed the virus manually by identifying it in the code 

3. Change all of the passwords since they are most likely compromised. 

4. Scan the website again to look for additional malware. If there is a clean backup that you can use (before the malware was installed) upload it and scan again.

5. Monitor for suspicious activity

Recommendations

1. Regular updates

2. Strong password policies

3. Two factor Authentication

4. Security audit and code reviews

5. Use a web application firewall

6. Employee training- train your employee about cyber security best practices.