Skimming Malware Found on American Cancer Society WebstoreIncident Shows That Healthcare Sector Faces E-Commerce Threats
The recent discovery of skimming malware on the online store of the American Cancer Society illustrates that the healthcare sector is not immune from e-commerce threats.
"It is understandable, but unfortunate that we have conditioned healthcare leaders to prioritize resources toward securing protected health information at the expense of other classes of sensitive information like payment card information," says Clyde Hewitt, executive adviser at security consultancy CynergisTek. "We need to readjust the focus to protect all sensitive information."
Malware on Site
In a blog post, Willem de Groot, lead forensic analyst and founder of security vendor Sanguine Security, says the company's global malware monitor on Oct. 24 found malicious code associated with Magecart cybercriminal groups embedded on the Cancer.org shop of the American Cancer Society.
The malware, which "intercepts payments from unsuspecting visitors," hides behind the legitimate "GoogleTagManager" code, the blog says.
"It searches for 'checkout' (Y2hlY2tvdXQ=) and will then load the actual skimming code from thatispersonal.com/assets/cancer.js. This server is hosted in Irkutsk, a Russian network that is popular among skimming groups," the blog says.
De Groot tells Information Security Media Group that the payment skimmer at the American Cancer Society was injected on Oct 24 and removed the next day, "so luckily the theft was quickly contained."
Individuals who made a purchase on the site on Oct. 24 or 25 "should keep a close eye on their card statements for the next few weeks, as their card is now likely being sold on the dark web," he adds.
A spokeswoman for the American Cancer Society tells ISMG, "We've seen the report [about the skimming malware] and are currently investigating."
Other Compromised Sites
In a similar incident, Asheville, N.C.-based healthcare system Mission Health recently determined that malicious code was contained on its online store for more than three years, sending consumer payment information to unauthorized persons.
Skimming attacks associated with the Magecart umbrella organization, which includes at least 12 criminal groups, have steadily increased over the last 18 months, researches say (see: Magecart Group Continues Targeting e-Commerce Sites).
In recent months, Magecart-associated groups have been suspected in attacks against shoe manufacturer Fila as well as the bedding sites Mypillow.com and Amerisleep.com, according to an earlier analysis by security firms Group-IB and RiskIQ. In addition, British Airways, Ticketmaster and Newegg have also been attacked (see: RiskIQ: Magecart Group Targeting Unsecured AWS S3 Buckets).
Many healthcare organizations use third-party payment processors to host their e-commerce sites because of the high risk and relatively low volume, Hewitt notes.
"This shifts the security official's efforts from implementing technical controls to vendor risk management. As a result, third parties are sometimes left out of the HIPAA-mandated risk assessment and risk management processes, sometimes due to budget or contractual constraints and the desire to limit the cost," he says.
"On a positive note, the National Institute of Standards and Technology's Cyber Security Framework version 1.1 addressed this emerging risk by adding five new vendor management controls."
The challenges health sector entities face in securing their online stores are similar to those facing organizations in other sectors.
"The top issues are the same as those of e-commerce sites in any industry - it is critical to ensure that applications' software development included code review to identify security flaws and fix them before exposing the application to the internet," says Keith Fricke, principal consultant at tw-Security.
"Additionally, the server upon which the e-commerce runs need to have security patches that are up to date and should be scanned regularly for vulnerabilities and monitored for intrusions," he says. It's also important that application developers have knowledge of secure coding practices and have the tools to check code for issues such as buffer overflows, input validation and in the case of tying to backend databases, checking for SQL injection vulnerabilities, Fricke notes.
Organizations should also include these e-commerce sites in scope for any penetration tests conducted, he adds. "It is a good practice to have third parties review software code for flaws. System administrator access to ecommerce sites should require two-factor authentication."
De Groot, whose firm discovered the American Cancer Society's skimming malware, says online merchants can take key steps to avoid similar problems on their sites.
That includes installing a malware and vulnerability monitor so that vulnerabilities can be identified and closed before they are exploited.
"We detect 30 to 200 compromised stores per day," he says. "In 20 percent of all cases, the skimmer returns, typically within two weeks, because merchants have not taken sufficient counter measures. So it is a good idea to do a proper root cause analysis, should you find yourself victim of such a fraud."
Hewitt notes that the software development life cycle process for e-commerce sites needs additional support to ensure access to source code is highly restricted, validated by independent reviewers and protected from change.
"Systems should be configured to alert system administrators of any unauthorized or unexpected change," he says.
"All deviations should be treated as security incidents and a root cause analysis should be performed to identify control failures. Small and mid-size healthcare organizations may struggle to add these resources, so outsourcing might be a better strategy."
Healthcare organizations need to protect financial data as much as they protect patient health data, Hewitt says. "We need to change the culture so that PCI security control vulnerabilities are escalated immediately, just like HIPAA controls."