Scenario

Several financial institutions have stated that fraudulent payment card activity has occurred after users made purchases from your website. The financial institutions believe that payment card skimming software was used.

Fraudulent activity started around back in June 2019.

Your website was placed on the Google Safe Browsing blacklist. Users were prevented from accessing your website and your organization started to lose a lot of money.

Management gave the order to the Server Admins to get the website back up and running as quickly as possible. Server Admins blow away the website and load a clean known good instance in 20 minutes.

Server Admins provided what is believed to be a compromised version of the site to a forensic team, results were inconclusive.

You are still tasked with investigating if payment cards were being stolen from your website using observable web data.

Searches

First search: Perform a search for the domain www.flowerexplosion.com.
https://community.riskiq.com/search/www.flowerexplosion.com

Second search: Perform a search on the Google Safe Browsing:
https://transparencyreport.google.com

Third search: Check your URL with urlscan.io
https://urlscan.io

Goals

 You need to determine the following:

  1. Were payment cards being stolen from www[.]flowerexplosion[.]com?
  2. How were the payment cards being stolen?
  3. How do you suspect the website was compromised?
  4. How can you prevent similar attacks in the future from occurring on www[.]flowerexplosion[.]com?

Step by Step Video