Hackers have installed credit card skimming scripts on thousands of online stores, including numerous South African platforms, according to a recent article by MyBroadband.
An investigation by Dutch developer Willem de Groot revealed that a host of online stores have been compromised and are stealing users’ credit card details.
De Groot says hackers gained access to the source code using unpatched security flaws.
“This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark Web,” says De Groot.
He adds that online skimming is very effective, because it is hard to detect and it is near impossible to trace the thieves.
International online stores
According to De Groot’s research, more than 750 online stores who were unwillingly skimming payment card details for attackers in 2015 are still doing so today, showing that this type of activity can go undetected for months.
De Groot’s data suggests there are multiple groups engaged in online skimming. While in 2015 there were variants of the same malware code, today there are three distinct malware families with a total of nine variants.
“The first malware just intercepted pages that had checkout in the URL,” he says.
“Newer versions also check for popular payment plugins such as Fire Checkout, One Step Checkout, and PayPal.”
The malicious code is obfuscated and is deployed using known vulnerabilities in content management solutions or e-commerce software that Web site owners have failed to patch.
What’s worse is that some shop owners don’t seem to grasp the seriousness of these issues or understand their impact. De Groot gives some examples of the worst answers he has received from companies when he attempted to inform them about the compromises.
“We don’t care; our payments are handled by a third party payment provider,” one unnamed shop owner says.
“Our shop is safe because we use HTTPS,” says another.
While HTTPS protects against man-in-the-middle attacks, where the attacker is in a position on the network to intercept traffic between a user and a server, malicious code runs on the server itself and is served over HTTPS, so it can see whatever information users enter into Web sites.
The good news is that some shop owners are taking action, with 334 stores fixed in a 48-hour period. On the other hand, during the same time period, 170 new stores were hacked.
South African online stores
De Groot published the list of 5 900 compromised stores on GitHub, but it was quickly removed.
“After publishing a list of compromised online stores, I was contacted by several persons who claimed their site had not been compromised, and who threatened to sue me,” says De Groot.
However, these sites were all compromised, pointing to archive.org which he says “provides solid proof”.
“I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites,” he says.
He says he understands that being included in the list can be painful for a merchant, but this was needed to prevent the problem from growing.
MyBroadband tested the listed South African Web sites, and all of them were blocked by anti-malware software or browser warnings, and informed all the Web sites before publishing the article.
According to MyBroadband, the list of infected sites are:
Source: PC World; MyBroadband