More than 100 e-commerce sites around the world are infected with malicious code designed to surreptitiously skim payment card data from visitors after they make purchases, researchers reported on Wednesday. Among those infected are US-based websites that sell dental equipment, baby merchandise, and mountain bikes.
In total, researchers with China-based Netlab 360 found 105 websites that executed card-skimming JavaScript hosted on the malicious domain magento-analytics[.]com. While the domain returns a 403 error to browsers that try to visit it, a host of magento-analytics[.]com URLs host code that’s designed to extract the name, number, expiration date, and CVV of payment cards that are used to make purchases. The e-commerce sites are infected when the attackers add links that cause the malicious JavaScript to be executed.
One of the infected sites identified by Netlab 360 is ilybean[.]com, an Orlando, Florida, business that sells baby beanies. As the screenshot below shows, the site executes JavaScript hosted at magento-analytics[.]com.
https://magento-analytics[.]com/5c3b53f75a8cb.js and partially shown to the right, shows a sprawling piece of code. While it’s hard for non-coders to fully parse, it includes tell-tale variable names, including verisign_cc_number, shipping:firstname, shipping:lastname, verisign_expiration, verisign_expiration_yr, and verisign_cc_cid. Functions suggest it collects the payment card data, and base 64 encodes it and siphons it away.
“This isn't a new campaign, as the domain has been around for several months already, but it is one of the more active ones, according to our telemetry stats,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, told Ars. “We block an average of 100 connections to this domain daily from Malwarebytes users that visit an online store that's been hacked.”
Segura pointed to this search query that showed 203 sites had been affected by the campaign. It appeared that some of the sites listed were no longer executing code hosted on magento-analytics[.]com, most likely because they had been disinfected after being indexed.
Most of the compromises reported by Netlab 360 appear to be hitting niche sites, but at least six of them are part of the Alexa top 1 million. They include:
- mitsosa[.]com
- alkoholeswiata[.]com
- spieltraum-shop[.]de
- ilybean[.]com
- mtbsale[.]com
- ucc-bd[.]com
Ars confirmed that all six of the sites were calling JavaScript hosted on magento-analytics[.]com at the time this post was being reported. Ars contacted each of the six sites to seek comment for this post but hadn’t received a response from any of them at the time this post was going live.
The compromises reported by Netlab 360 are part of a rash of infections that came to light starting late last year affecting, among others, sites for British Airways, Newegg, and seven other businesses with more than 500,000 collective visitors per month. In one case, a single site was infected by two skimming groups that competed against each other. The compromises were still going strong as of two months ago.Historical IP and whois records show that magento-analytics[.]com has no relation to Magento, the e-commerce CMS that Adobe acquired last year. Attackers likely picked the name to confuse administrators of infected sites.
The full list of sites in Netlab 360's report is:
adirectholdings[.]com
adm[.]sieger-trophaen[.]de
adventureequipment[.]com[.]au
alkoholeswiata[.]com
alphathermalsystems[.]com
ameta-anson[.]com
ametagroup[.]com
ametawest[.]com
armenianbread[.]com
autosportcompany[.]nl
bagboycompany[.]com
boardbookalbum[.]biz
boardbookalbum[.]com
boardbookalbum[.]net
boardbookalbums[.]biz
boardbookalbums[.]net
burmabibas[.]com
businesstravellerbags[.]com
clotures-electriques[.]fr
cltradingfl[.]com
colorsecretspro[.]com
connfab[.]com
cupidonlingerie[.]fr
devantsporttowels[.]com
diamondbladedealer[.]com
digital-2000[.]com
emersonstreetclothing[.]com
equalli[.]com
equalli[.]co[.]uk
equalli[.]de
eu[.]twoajewelry[.]com
eyeongate[.]net
fitnessmusic[.]com
fluttereyewear[.]com
freemypaws[.]info
gabelshop[.]ch
gosuworld[.]com
hotelcathedrale[.]be
huntsmanproducts[.]com[.]au
iconicpineapple[.]com
ilybean[.]com
imitsosa[.]com
jasonandpartners[.]com[.]au
jekoshop[.]com
jekoshop[.]de
junglefeveramerica[.]com
kermanigbakery[.]com
kermanigfoods[.]com
kings2[.]com
koalabi[.]com
lamajune[.]com
li375-244[.]members[.]linode[.]com
libertyboutique[.]com[.]au
lighteningcornhole[.]com
lighting-direct[.]com[.]au
lightingwill[.]com
liquorishonline[.]com
lojacristinacairo[.]com[.]br
magformers[.]com
maxqsupport[.]com
mdcpublishers[.]com
meizitangireland[.]com
monsieurplus[.]com
mtbsale[.]com
noirnyc[.]com
nyassabathandbody[.]com
pgmetalshop[.]com
pinkorchard[.]com
pizzaholic[.]net
powermusic[.]com
prestigeandfancy[.]com
prestigebag[.]com
prestigefancy[.]com
prestigepakinc[.]com
prettysalonusa[.]com
promusica[.]ie
qspproducts[.]com
qspproducts[.]nl
qspracewear[.]nl
rightwayhp[.]com
safarijewelry[.]com
schogini[.]biz
shopatsimba[.]com
spalventilator[.]nl
spieltraum-shop[.]de
storageshedsoutlet[.]com
stylishfashionusa[.]com
suitpack[.]co[.]uk
svpmobilesystems[.]com
task-tools[.]com
tiroler-kraeuterhof[.]at
tiroler-kraeuterhof[.]com
tiroler-kraeuterhof-naturkosmetik[.]com
ucc-bd[.]com
ussi-md[.]com
utvcover[.]com
vezabands[.]com
vitibox[.]co[.]uk
waltertool[.]info
waltertool[.]org
waltertools[.]com
workoutmusic[.]com
There’s no easy way for people to know for sure if an e-commerce site they’re browsing is infected. Malwarebytes and many other endpoint security programs will block the best-known campaigns, but new ones pop up so often that these products can’t be expected to catch all of them. People should never use debit cards when making online purchases. Credit card users should be sure to check their statements each month for fraudulent charges. People may also want to consider using temporary cards that have small, fixed lines of credit.
Post updated to remove mockberg[.]com and appliancespareparts[.]com[.]au from the list. Representitives with the sites said they removed the reference to magento-analytics[.]com. mont[.]com[.]au was also removed, after the company removed the same reference.
reader comments
124