Thousands Of Online Stores Fail To Protect Payment Details From Hackers

Tom Jowitt,
Mobile security credit card padlock chip and pin © nobeastsofierce Shutterstock

Shop shock. Hackers have compromised nearly 6,000 online shops to skim payment card data. And the problem is getting worse

Thousands of online shops are unknowingly harbouring malicious code after hackers took advantage of unpatched software flaws to inject their code, in order to intercept and steal payment card details.

This is the warning from Dutch researcher Willem De Groot. He actually discovered the problem late last year, when he scanned 255,000 online stores globally and found 3501 stores to be ‘skimmed‘.

Skimming Cards

mobile banking cardsBut nearly 12 months on, instead of the problem getting better, it is actually getting worse.

De Groot blogged that online card skimming is now up 69 percent since November 2015, with 5,925 online shops now holding malicious JavaScript code in their source code.

“In short: hackers gain access to a store’s source code using various unpatched software flaws,” he said. “Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card.”

The researcher pointed out that the skimming code was found in website across a number of industries such as car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).

“One reason that many hacks go unnoticed is the amount of effort spent on obfuscating the malware code,” he continued. “Earlier malware cases contained pretty readable Javascript but in the last scan more sophisticated versions were discovered. Some malware uses multi-layer obfuscation, which would take a programmer a fair bit of time to reverse engineer. Add to this that most obfuscation includes some level of randomness, which makes it difficult to implement static filtering.”

To trick the casual observer, the malware has sometimes been disguised as UPS code, said the researcher. He also pointed out that “multiple persons or groups” are involved in carrying out this criminal activity.

Complacent Merchants

De Groot also noted some of the complacent responses from online shops when they were informed of the problem with their website.

“We don’t care, our payments are handled by a 3rd party payment provider,” said one online shop.

“Thanks for your suggestion, but our shop is totally safe. There is just an annoying javascript error,” said another.

“Our shop is safe because we use https,” added another shop.

De Groot advised online shops to upgrade their software regularly to prevent any new cases, but he admitted that “this is costly and most merchants don’t bother.”

And what of the nearly 6,000 online shops that have been compromised? De Groot complained that no-one seems to be proactively contacting the shops about the problem.

“Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants,” he wrote. “But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation.”

De Groot said that he had submitted details of the problem to Google’s Safe Browsing team. He recommended that any worried online shop to check MageReport to see if their store has been compromised.

One security expert said that online shops have to ensure that protecting customer data remains their top priority.

“Protecting customer data is a top priority for online retailers, but this attack demonstrates the damage which can be done once hackers have made their way inside,” said Matt Middleton-Leal, regional director UK & North of CyberArk.

“In this case, known vulnerabilities allowed hackers to obtain stores’ admin access and get away with valuable financial information,” said Middleton-Leal. “With cybercriminals increasingly getting into a network through simple means, online retailers must act fast to lock down these powerful admin accounts and keep sensitive customer data secure.”

Earlier this year, FraudAction (a security division of EMC) warned that committing online fraud is just too easy nowadays.

Indeed, card fraud affects many institutions, including hotel chains such as Hilton which last year fell victim to card fraud.

How much do you know about hackers and viruses? Take our quiz to find out!