Thousands of online shops compromised for credit card theft

Attackers injected malicious JavaScript code into e-commerce websites to steal payment card data

Almost 6,000 online shops have been compromised by hackers who added specially crafted code that intercepts and steals payment card details.

These online skimming attacks were first discovered by Dutch researcher Willem de Groot a year ago. At that time, he found 3,501 stores containing the malicious JavaScript code. However, instead of getting better, the situation is increasingly worse.

By March the number of infected shops grew by almost 30 percent to 4,476, and by September, it reached 5,925. More than 750 online stores who were unwillingly skimming payment card details for attackers in 2015 are still doing so today, showing that this type of activity can go undetected for months, the researcher said in a blog post.

De Groot's data suggests there are multiple groups engaged in online skimming. While in 2015, there were variants of the same malware code, today there are three distinct malware families with a total of nine variants.

"The first malware just intercepted pages that had checkout in the URL," the researcher said. "Newer versions also check for popular payment plugins such as Firecheckout, Onestepcheckout, and Paypal."

The malicious code is obfuscated and is deployed using known vulnerabilities in content management solutions or e-commerce software that website owners have failed to patch.

What's worse is that some shop owners don't seem to grasp the seriousness of these issues or understand their impact. De Groot gives some examples of the worst answers he has received from companies when he attempted to inform them about the compromises.

"We don’t care, our payments are handled by a 3rd party payment provider," one unnamed shop owner said.

"Our shop is safe because we use HTTPS," said another.

HTTPS protects against man-in-the-middle attacks, where the attacker is in a position on the network to intercept traffic between a user and a server. However, in this case, the malicious code runs on the server itself and is served over HTTPS, so it can see whatever information users enter into websites.

As for using a third-party payment processor, "if someone can inject Javascript into your site, your database is most likely also hacked," de Groot said.

The good news is that some shop owners are taking action, with 334 stores fixed in a 48-hour period. On the other hand, during the same time period, 170 new stores were hacked.

De Groot has published the list of compromised websites on Github.

Join the PC World newsletter!

Error: Please check your email address.

Tags hackers

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?