Four AV vendors certified; Avira, Bitdefender, Eset, and Kaspersky. https://www.mrg-effitas.com/wp-content/uploads/2019/05/2019_OBQ1.pdf
I wonder why they all failed the simulator test? I suppose this malware simulator can only inject JavaScript when it runs inside browser memory? Or perhaps it's done via some extension. Would be nice if they clarified this.
Refer to page 8 of the report. The test was a simulated obfuscated Magcart credit card skimming attack. It's performed from a compromised e-commerce web server. And as luck would have it, one was attempted against me 3 days ago. Eset detected it via PUA blacklist detection: Time;URL;Status;Application;User;IP address;SHA1 5/23/2019 2:45:27 PM;hxxp://link.safecart.com/2hhvj4/aHR0cDovL3d3dy5wbHVtYnl0ZXMuY29tL3BhcnRuZXIvdXJsL2Rvd25sb2Fk;Blocked by PUA blacklist;C:\Program Files\internet explorer\iexplore.exe;xxxxx;199.83.132.38;021415D73D02C6247001BAD6E5C9BC6E220F34FC
Yes, but the question is: how did they simulate it, which method did they use. If some third party tool is modifying code on a website (injecting scripts) then tools should normally be able to detect this. If they used a browser extension, then it's likely they will fail.
The web server is infected and the data capturing by malware is occurring on that device. There is nothing on your device that can prevent this other than using security software that has blacklisted IP addresses associated with the infected web server.
Exactly my point. So I don't see why they would simulate such a test. If the web server is infected, then security tools will all fail to detect. But I do know that it's probably a bad idea to use a credit card for online payments.
