More than 100 e-commerce sites around the world are infected with malicious code designed to surreptitiously skim payment card data from visitors after they make purchases, researchers reported on Wednesday. Among those infected are US-based websites that sell dental equipment, baby merchandise, and mountain bikes.
https://magento-analytics[.]com/5c3b53f75a8cb.js and partially shown to the right, shows a sprawling piece of code. While it’s hard for non-coders to fully parse, it includes tell-tale variable names, including verisign_cc_number, shipping:firstname, shipping:lastname, verisign_expiration, verisign_expiration_yr, and verisign_cc_cid. Functions suggest it collects the payment card data, and base 64 encodes it and siphons it away.
“This isn’t a new campaign, as the domain has been around for several months already, but it is one of the more active ones, according to our telemetry stats,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, told Ars. “We block an average of 100 connections to this domain daily from Malwarebytes users that visit an online store that’s been hacked.”
Segura pointed to this search query that showed 203 sites had been affected by the campaign. It appeared that some of the sites listed were no longer executing code hosted on magento-analytics[.]com, most likely because they had been disinfected after being indexed.
Most of the compromises reported by Netlab 360 appear to be hitting niche sites, but at least six of them are part of the Alexa top 1 million. They include:
The compromises reported by Netlab 360 are part of a rash of infections that came to light starting late last year affecting, among others, sites for British Airways, Newegg, and seven other businesses with more than 500,000 collective visitors per month. In one case, a single site was infected by two skimming groups that competed against each other. The compromises were still going strong as of two months ago.
Historical IP and whois records show that magento-analytics[.]com has no relation to Magento, the e-commerce CMS that Adobe acquired last year. Attackers likely picked the name to confuse administrators of infected sites.
The full list of sites in Netlab 360’s report is:
There’s no easy way for people to know for sure if an e-commerce site they’re browsing is infected. Malwarebytes and many other endpoint security programs will block the best-known campaigns, but new ones pop up so often that these products can’t be expected to catch all of them. People should never use debit cards when making online purchases. Credit card users should be sure to check their statements each month for fraudulent charges. People may also want to consider using temporary cards that have small, fixed lines of credit.