{"id":17144,"date":"2019-12-10T10:10:04","date_gmt":"2019-12-10T18:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/12\/10\/news-10880\/"},"modified":"2019-12-10T10:10:04","modified_gmt":"2019-12-10T18:10:04","slug":"news-10880","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/10\/news-10880\/","title":{"rendered":"Hundreds of counterfeit online shoe stores injected with credit card skimmer"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Tue, 10 Dec 2019 17:30:50 +0000<\/strong><\/p>\n

There’s a well-worn saying in security: “If it’s too good to be true, then it probably isn’t.” This can easily be applied to the myriad of online stores that sell counterfeit goods\u2014and now attract secondary fraud in the form of a credit card skimmer.<\/p>\n

Allured by great deals on brand names, many people end up buying products on dubious websites only to find out that what they paid for isn’t what they’re getting.<\/p>\n

We recently identified a credit card skimmer injected into hundreds of fraudulent sites selling brand name shoes. Unfortunate shoppers may not only be disappointed with the faux merchandise, but they will also relinquish their personal and financial data to Magecart fraudsters.<\/p>\n

Counterfeit shoes by the truckload<\/h3>\n

Think of the web as a never-ending whack-a-mole war between brands, security teams, and fraudsters\u2014as legitimate companies work with security to take down one counterfeit site, another soon pops up.<\/p>\n

One way fraudulent sites receive traffic is via forum spam. Crooks troll sporting and fitness forums and leave messages to entice users to visit the fake store:<\/p>\n

\"\"<\/figure>\n

Here’s that same counterfeit site selling Adidas, Nike, and other big brand name sneakers:<\/p>\n

\"\"<\/a><\/figure>\n

trainersnmd[.]com<\/em> is hosted in Russia at 91.218.113[.]213<\/em>. Looking at the 91.218.113.0\/24 subnet, we can see many more domains used in the same counterfeit business.<\/p>\n

Some of those domains were taken over and replaced with a serving notice. For example in May 2019, Adidas filed a complaint<\/a> for injunctive relief and damages against hundreds of fake Adidas stores.<\/p>\n

\"\"<\/a><\/figure>\n

Mass credit card skimmer injection<\/h3>\n

The skimming code was appended to a JavaScript file called translate.js<\/em>. (A full copy of the deobfuscated skimmer can be found here<\/a>.)<\/p>\n

\"\"<\/a><\/figure>\n

Stolen data, including billing addresses and credit card numbers, is exfiltrated to a server in China at 103.139.113[.]34.<\/p>\n

\"\"<\/a><\/figure>\n

What’s interesting is that this is actually a massive compromise across several IP subnets:<\/p>\n

\"\"<\/a><\/figure>\n

A cursory look at several domains using Sucuri’s SiteCheck<\/a> revealed they are using the same outdated software:<\/p>\n

    \n
  • Magento under 1.9.4.2<\/a><\/li>\n
  • PHP under 5.6.40<\/a><\/li>\n<\/ul>\n

    It’s likely a malicious scanner simply crawled those IP ranges and used the same vulnerability to compromise each and every one of those counterfeit sites.<\/p>\n

    Online shopping and its risks <\/h3>\n

    Shopping online these days is akin to walking into a minefield, yet many people aren’t aware of the dangers lurking behind every corner.<\/p>\n

    Based on our crawlers, we see new e-commerce sites fall victim to web skimmers every day. Looking at our telemetry, we can also correlate the number of web blocks to shopping patterns, such as Black Friday and Cyber Monday events.<\/p>\n

    \n
    \n
    \n

    We saw an increase in credit card skimming activity for Black Friday and Cyber Monday, but not as much as anticipated.<\/p>\n

    Many online stores were running deals for some time prior, even since late Oct.#Magecart<\/a> #skimming<\/a> #BlackFriday<\/a> #CyberMonday<\/a> pic.twitter.com\/0DEMFXwjPa<\/a><\/p>\n

    — MB Threat Intel (@MBThreatIntel) December 3, 2019<\/a><\/p><\/blockquote>\n