Hackers pop 6000 sites on active 18-month carding bonanza

US National Republican Senatorial Committee on list of sites slinging data to Russia


Hackers have installed skimming scripts on more than 6000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards.

Dutch developer Willem de Groot found the malware infecting stores running vulnerable versions of the Magento ecommerce platform.

Attackers uploaded scripts which would capture and ship credit cards from online shops to Russia-based command and control servers.

The US National Republican Senatorial Committee is the most high profile scalp the campaign after an unknown number of credit cards were stolen from supporters buying merchandise and offering donations through its online store.

The Committee did not answer questions by The Register on remedial actions it had taken nor whether it could guarantee customer credit cards were safe.

De Groot told this publication the attack spanned the six months from March and reckons in an "educated guess" that some 21,000 credit cards would likely have been skimmed.

He cites traffic statistics that show the online shop address store.nrsc.org received 340,800 vistiors last month, and says a "conservative conversion ratio" of 1 percent yields 3500 stolen credit cards per month.

De Groot says the Committee removed the skimming scripts after he reported the compromise in August, but adds it did not reply to his disclosure.

The developer has inked a list of likely affected sites detected in scans for the malicious scripts.

Some 170 new stores appear to have been breached since El Reg contacted de Groot overnight.

It includes thousands of businesses and government organisations allegedly compromised since the attacks began in May last year.

"Given that there are [about] 5900 other skimmed stores, and the malpractice has been going on since at least May last year, I would expect the number of stolen cards in the hundreds of thousands," De Grott says.

In Australia and New Zealand, some 267 businesses including NickScali and Barbeques Galore have been allegedly breached, along with local sites of Converse and luggage company American Tourister.

The US Franklin Institute and National History Museum appear on the breach list, along with scores of smaller stores from the UK and elsewhere around the world.

Large retailers appear unaffected.

De Groot says the current wave of attacks have become more stealthy in what may indicate new attackers have begun targeting shops.

The developer has warned some of the growing list of affected shops, but many remain actively breached with credit cards shipping off to attackers' servers.

Some of the retailers appear unworried by the attacks. "I contacted a couple (of stores), but I mostly got back 'thanks, but we are safe, no worries', or 'we are safe because we use https;', or 'we are safe because we have the Symantec security seal'," De Groot says.

"Those security seals aren't worth much, apparently."

Shops appear to be targeted through at least one since-patched bug reported in April last year then affecting 88,000 stores. The critical remote code execution vector granted access to credit cards and the ability to write 100 percent discount coupons.

De Groot has found some nine variations of the malicious scripts, and has uploaded some malware samples for analysis.

Some employ multiple levels of obfuscation, making analysis difficult, and mark their code as UPS delivery data in a bid to disguise the attacks from admins. ®

Similar topics

Broader topics


Other stories you might like

  • SpaceX Starlink satellite streaks now present in nearly fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining science, no

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

    Continue reading

Biting the hand that feeds IT © 1998–2022