Nearly 6,000 online stores hit by hackers

Thousands of retailers have been hit by credit card detail stealing malware. They way the hackers got in? unpatched software flaws.

Online card skimming affects e-commerce sites
Online card skimming affects e-commerce sites

Over 5,900 e-commerce sites contain malware that steals victim's credit card details, according to a security researcher.

The malicious code has been placed on 5,925 compromised sites by hackers, according to Dutch security analyst Willem De Groot.

He said that hackers gained access to a store's source code using various unpatched software flaws.  

“Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant,” he said in a blog post.

The skimmed credit cards are then sold on the dark web for the going rate of US$30 (£24.59) per card. Online skimming is a new form of card fraud and the first case was reported in November 2015.

At the time, De Groot scanned over 250,000 stores and found 3501 stores to be skimmed. Ten months later that figure rose to 5,925. The victims vary from car makers, to fashion shops, pop starts to non-governmental organisations, such as the Science Museum.

He added that some stores had been skimming victims' details for months without being noticed.

“One reason that many hacks go unnoticed is the amount of effort spent on obfuscating the malware code,” he said. Earlier malware cases contained relatively readable JavaScript but in the last scan more sophisticated versions were discovered by De Groot.

“Some malware uses multi-layer obfuscation, which would take a programmer a fair bit of time to reverse engineer. Add to this that most obfuscation includes some level of randomness, which makes it difficult to implement static filtering.”

He said that new cases could be stopped right away if store owners would upgrade their software regularly. “But this is costly and most merchants don't bother,” said De Groot.

"Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants," de Groot said. "But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation."

The researcher is now sending the Safe Browsing team his findings but only a handful of sites have been blacklisted.

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, told SCMagazineUK.com that the news will be worrying for retailers, not least because their reputation and profitability could hang in the balance. 

“The problem is that once the malicious code has been injected and the commerce store has been ‘skimmed,' customer card data is at risk of being sold online, such as on the Dark Web,” he said.

Matt Middleton-Leal, regional director UK & North at CyberArk, told SC that protecting customer data is a top priority for online retailers, but this attack demonstrates the damage which can be done once hackers have made their way inside.

“In this case, known vulnerabilities allowed hackers to obtain stores' admin access and get away with valuable financial information. With cybercriminals increasingly getting into a network through simple means, online retailers must act fast to lock down these powerful admin accounts and keep sensitive customer data secure,” he said.


Sign up to our newsletters