6000+ compromised online shops – and counting

A week ago, RiskIQ researchers revealed that over 100 online shops have, at one point in the last six months, been injected with malicious JavaScript code that exfiltrates payment card information users enter to pay for their shopping. But, as it turns out, that was just the tip of the iceberg.

The number of compromised online shops keeps rising

Willem de Groot, co-founder of byte.nl, a webhosting provider for (among other things) Magento shops, has been keeping an eye on the situation for over a year, and the situation keeps getting worse.

His November 2015 scanning of 255K online stores around the world revealed 3501 compromised shops. The same scan in September 2016 showed 5925.

“Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral),” he says. “At least 159 hacked stores use Magento Enterprise Edition, which is used only by the largest online stores.”

Of the original 3501 compromised stores in November 2015, 754 still sport the stealing code. “Apparently you can skim cards undisturbed for months,” de Groot pointed out.

According to him, RiskIQ found and wrote about just one variety of malicious code, found in some 100 stores. But there are at least 9 other skimming varieties in the wild in 5900 stores.

“Furthermore, I discovered that in the last 48 hours, another 170 new shops were fitted with skimming software. So it’s an uphill battle, really,” he told Help Net Security.

Even more so because most online merchants are not particularly worried about the compromises. Some of the responses de Groot received after notifying shop owners about the compromise were downright dismissive (“We don’t care, our payments are handled by a 3rd party payment provider,” or “Thanks for your suggestion, but our shop is totally safe. There is just an annoying javascript error.”).

I myself tried to get in touch with some of them to see whether they even know their shops have been compromised. I randomly selected a dozen of shops, and fired off emails, but I had no responses so far. Also, one of the shops on the list is being detected by Google as hosting malware, and another says that they have temporarily stopped providing shopping and checkout options because they are revamping their website.

Who’s behind this?

The stolen information is being sent to collection servers that are mostly located in Russia, but that doesn’t mean that the criminals behind these compromises are Russian.

“In 2015, reported malware cases were all minor variations of the same code base. In March 2016, another malware variety was discovered. Today, at least 9 varieties and 3 distinct malware families can be identified,” de Groot says. “This suggests that multiple persons or groups are involved.”

As time passed, the attackers got better and better at obfuscating the stealing code, and this is why it’s difficult to spot.

“Another sign of malware sophistication is the maturity of the payment detection algorithm. The first malware just intercepted pages that had checkout in the URL. Newer versions also check for popular payment plugins such as Firecheckout, Onestepcheckout and Paypal,” he added.

What to do?

Online merchants who have been hit should clean up their sites and notify potentially affected customers, but the latter is not a legal requirement in all countries.

Those that haven’t yet been hit should make sure to upgrade their software (e-commerce platforms) regularly, and aim to improve their overall security posture.

“Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants. But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist,” says de Groot. “I have submitted all my malware samples to Google’s Safe Browsing team but only a small part of the detected malware has been blocked so far.”

Unfortunately, the only thing consumers can do to protect themselves is to avoid providing payment details to small online shops, and stick to bigger ones that have a dedicated security team. Or stop shopping online altogether.

UPDATE (October 15, 2016): De Groot has been having trouble keeping the list of compromised web shops online, after GitHub and GitLab removed it from their site.

“After publishing a list of compromised online stores, I was contacted by several persons who claimed their site had not been compromised (while in fact they were, as archive.org provides solid proof) and threatened to sue me,” he shared on Friday.

“I understand that if you are a merchant, it is not a pleasure to be on that list. I absolutely agree that publishing a list of compromised stores is a tough measure. However, I think this is better than letting the problem fester (as it has been since 2015),” he added.

While some would disagree with his choice, there is no doubt that it has provided relatively quick results. “So far, between Oct 10 and Oct 14, 631 stores have been fixed,” says de Groot.

UPDATE (October 17, 2016): Gitlab has reinstated the list of compromised shops.

GitLab CEO Sid Sijbrandij explained that they believe in responsible disclosure, but in this case the victim of the vulnerability is not only the owner but also the users of the web store.

“The owners of web stores have a responsibility to their users. And it is in the users interest to have the list published so owners fix their stores. We currently think that the interest of the user weights heavier. Therefore we reinstated the snippet,” he noted.