This article is more than 1 year old

Hackers cop a FILA thousands of UK card deets after slinking onto clothing brand's servers

Pesky JavaScript harvester strikes again

Updated Sportswear brand FILA is the latest outfit to fall victim to card-stealing JavaScript of the kind that menaced British Airways and Ticketmaster last year.

Russian security house Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand's website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.

What's worse, the researchers reported that, despite multiple attempts to reach FILA, they have been unable to get the card-data-stealing code removed.

FILA did not respond to our request for comment on the allegation.

According to Group-IB's threat hunters, the GMO infection is very similar to the card-harvesting JavaScript nasty MageCart, in that an attacker covertly slips onto the server of the targeted company and installs code onto the business's website to covertly collect card numbers as they are entered by customers. These details are later uploaded to a collection server at a set time. Such attacks can be particularly difficult to detect as they do not produce a steady stream of traffic out of the infected machine.

People playing whack-a-mole game

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS


In short, don't order anything from FILA online, and if you have, contact your bank and check your statements.

"One-line card stealing code downloads a JavaScript Sniffer once a customer lands on a checkout page, which intercepts credit card data and sends it to local storage. After, the payment cards' details are sent to the JS Sniffer's gate which is located on the same server as a JS Sniffer script itself," said Group-IB CTO Dmitry Volkov.

"Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS [content management system], used by, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods," Volkov added.

Just how many customers could have fallen victim to the attack is difficult to say. Group-IB used a loose estimate based on monthly traffic figures and a one per cent conversion rate (ie, 1 per cent of people who visit the site end up buying something) to arrive at an estimated figure of around 5,600 compromised cards.

Group-IB said that FILA is likely not alone in falling victim to this latest variation of JavaScript malware harvesters. The researchers found six other unnamed websites to be similarly infected with the card-stealing scripts, and will be reaching out to US and UK police to help further suss out and stop any active infections. ®

Updated to add

Within hours of this article being published, the GMO JavaScript card sniffer was removed from FILA's website, Group-IB tells us.

More about


Send us news

Other stories you might like