Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops

[harlan4096]

Over 100 shops infected with malicious scripts. Credit card information stolen over the past 5 months.

Security researchers unveiled a still-ongoing mass credit card stealing campaign, which started collecting data from unsuspecting online shoppers sometime in October 2018.

The target of this campaign was a pool of over 100 online shops, all of them otherwise deemed legitimate and trustworthy. Six of the targeted websites were even listed in the one million websites Alexa Top.

Moving forward with reporting on this, we’ll dub the mass credit card stealing campaign Magento Analytics, since that’s the name of the domain used for injecting malicious scripts into the code of the online shops.

How Does the Magento Analytics Mass Credit Card Stealing Campaign Operate?

The domain magento-analytics.com was first picked up by the radars of cybersecurity researchers back in October 2018, when they noticed something seemed off about it. Even though the traffic was pretty low, there seemed no purpose to the domain and its traffic was increasingly stealthily, via other portals.

The name seemed innocent enough at a first glance. Magento is a major e-commerce platform and its engine is used by countless online shops around the world. It would make sense for something called Magento Analytics to be spotted running through these websites from time to time. But the domain didn’t actually contain anything if you tried to access it directly.

Another dubious thing which tipped off the security researchers who looked into it was the fact that the registration address & IPs for the domain was ever changing. While initially the magento-analytics.com domain was registered in Panama, the IP from which it was operating changed a lot. Initially, it seemed to be located in Arizona, US, but then it moved to Moscow, Russia for a while, before heading to Hong Kong, China. This alone warranted a second look from the cybersecurity researchers on the case.

But shifting IPs were not the only thing wrong with this domain, by far. While the domain itself returns just a 430 error page if you try to access it directly (not recommended, though), the researchers were seeing various pages (sub-domains) of the domain with nothing meaningful on them, either. Instead, all of these contained JS scripts.

Through continuous traffic monitoring, the security researchers realized that the Magento Analytics was actually injecting these malicious scripts into the code of 3rd party websites. These websites (online shops) had no idea that the Magento Analytics mass credit card stealing campaign was actually collecting the credit card info of their users.   

Continue Reading