There Are 5,761 Online Stores Currently Infected with Card-Data-Stealing Malware

[Exterminator]

In spite of the fact that WordPress continues to be the most hacked CMS platform, compromising online shopping platforms such as Magento, OpenCart, and others is by far more lucrative for online crooks.

According to Willem de Groot, security analyst for Byte.nl, the number of online shops infected with malware has skyrocketed in the past year, as crooks found that online skimming presents a greater target and more anonymity than real-world ATM skimming.

The recent surge in online skimming has fueled a growth in carding sites, who now often sell payment card data stolen via compromised online store payment pages and PoS malware, rather than data acquired from ATM skimmers.

Online skimming has gone up 69% in 10 months
De Groot, who is also one of the people behind MageReport.com, a Magento site security scanner, has been keeping track of online stores infected with malware, ever since November 2015, when he first saw an uptick in such cases.

A general Internet scan of 255,000 online stores has revealed the presence of various malware variants on 3,501 shops.

When he repeated the scan in March 2016, he found 4,476 infected stores, up by 28 percent. Ten months later, in September 2016, de Groot found 5,925 infected sites, up by 69 percent from November 2015.

With the recent discovery of the MageCart malware, de Groot repeated his scan again, and on October 10, when he found 5,911 infected stores. The good news is that the MageCart report scared enough webmasters, and on October 12, the number had gonedown to 5,761, with 334 admins cleaning up their stores, while 170 new stores were infected.

Some high-profile sites are infected
You might be tempted to think that only old and niche websites suffer such infections. It's not true. De Groot highlights some pretty high-profile sites on his most recent infection lists.

He mentions the online store of Icelandic singer Bjork, the store of Audi South Africa, and the website of the NRSC (National Republican Senatorial Committee).

Some webmasters don't understand the problem, or just don't care
Cleaning up these stores is not a simple job, since updating some online platforms such as Magento requires some level of technical skills, and it's not a one-click button job.

But de Groot doesn't have a problem with the technical side of updating online stores, since all online platforms provide very good documentation to get this done. His problem is with the human factor. Here are some of the replies he received from store admins who he notified:

“ We don’t care, our payments are handled by a 3rd party payment provider ”

“ Thanks for your suggestion, but our shop is totally safe. There is just an annoying javascript error. ”

“ Our shop is safe because we use https ”

Online skimming malware is now more complex
And if the ignorance of online store owners wasn't enough, De Groot, who's been keeping track of different malware families, says he's seen a rise in sophistication for the malware's code.

He mentions that in its first variations, the malware, usually a JavaScript file secretly loaded on the online store, would wait until the user would access a page with the "checkout" term in the URL. Nowadays, malware has support for various types of checkout and payment extensions and uses very complex code obfuscation.

Besides getting harder to detect, the number of online skimming malware has gone through the roof as well. De Groot says that in almost a year, online skimming malware has gone from one single threat to nine varieties and three distinct malware families.

Gogle, Visa, and Mastercard should intervene
"Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants," de Groot proposes. "But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation."

De Groot says that he's been sending the Safe Browing team reports about his findings, but currently, only a hadnful of these sites are blacklisted.

 

[shmu26]

how can the user protect himself against this, or alternatively, how can he identify unsafe shopping sites? Sounds like just looking for the green lock in the url isn't going to do the trick...

 

[jamescv7]

@shmu26: First know the origin of the shopping sites, having HTTPS should guarantee that your transaction may secure; however those 3rd party content may link to suspicious content.

Which why you need tools that can protect for possible Man-in-the-middle attack to avoid possible capture of information.

Lastly possible contact the webmaster to assess the situation immediately.

 

[soccer97]

Would looking for HTTPS and (ideally an extended EV-certificate) - the green thing in the address bar), plus additional protection such as "Verified by Visa" be a very thorough start? Nothing is perfect, but the layered approach helps some, unless there is complete compromise.

 

[Logethica]

On October 14th the list was removed from GitHub and also from GitLab shortly after..
GitLab have now reinstated the list:

SOURCE: gitlab.com -gitlab reinstates list of servers that have malware

Sid Sijbrandij
Oct 15, 2016
"Willem de Groot published a list of web stores that contain malware. He first hosted this list on GitHub but it was deleted. Then he hosted it on GitLab where it was also deleted. The reason we gave him for the deletion was "GitLab views the exposure of the vulnerable systems as egregious and will not abide it.". Willem wrote about his experience in a blog post.

At GitLab we strongly believe in responsible disclosure, for examples of this see our policy or Hacker One's guidelines. So publishing a list of servers that are vulnerable or hacked without contacting the owner first and giving them time to remedy the situation is not OK.

But in this case the victim of the vulnerability is not only the owner but also the users of the web store. The owners of web stores have a responsibility to their users. And it is in the users interest to have the list published so owners fix their stores. We currently think that the interest of the user weights heavier. Therefore we reinstated the snippet.

Willem just tweeted about my phone call to him to apologise. Thanks for that!"

We applaud Willem's effort to protect users from malware. We'll keep listening and will do our part to make the internet a more secure place for everyone."

 

[hjlbx]

GitHub\GitLab:

"So publishing a list of servers that are vulnerable or hacked without contacting the owner first and giving them time to remedy the situation is not OK."

* * * * *

So, in GitHub's\GitLab's initial view, the hacked server owner comes before protecting your data... until they realized their position made them complete jackasses -- so they reversed themselves.