A Hacking campaign Stealing Credit Cards From Over A Hundred Shopping Sites

Posted by & filed under Ειδοποιήσεις.

Researchers from Chinese cybersecurity firm Qihoo 360’s NetLab have revealed details of an ongoing credit card hacking campaign that is currently stealing payment card information of customers visiting more than 105 e-commerce websites.

While monitoring a malicious domain, www.magento-analytics[.]com, for over last seven months, researchers found that the attackers have been injecting malicious JS scripts hosted on this domain into hundreds of online shopping websites.

The JavaScript scripts in question include the digital credit card skimming code that when execute on a site, automatically steal payment card information, such as credit card owner name, credit card number, expiration time, CVV information, entered by its customers.

In an email Interview, NetLab researcher said that they don’t have enough data to determine how hackers infected affected websites on the first place or what vulnerabilities they exploited, but did confirm that all affected shopping sites are running over Magento e-commerce CMS software.

Further analysis revealed that the malicious script then send stolen payment card data to another file hosted on the magento-analytics[.]com server controlled by the attackers.

“Take one victim as an example, www.kings2.com, when a user loads its homepage, the JS runs as well. If a user selects a product and goes to the ‘Payment Information’ to submit the credit card information, after the CVV data is entered, the credit card information will be uploaded,” researchers explain in a blog post published today.

The technique used by the group behind this campaign is not new and exactly same as what the infamous MageCart credit card hacking groups used in hundreds of their recent attacks including Ticketmaster, British Airways, and Newegg.

However, NetLab researchers have not explicitly linked this attack to any of the MageCart groups.

Having Magento in the domain name doesn’t mean that the malicious domain is anyhow associated with the popular Magento ecommerce CMS platform; instead the attackers used this keyword to disguise their activities and confuse regular users.

According to the researchers, the malicious domain used in the campaign is registered in Panama, however, in recent months, the IP address moved around from “United States, Arizona” to “Russia, Moscow,” then to “China, Hong Kong.”

While researchers found that the malicious domain has been stealing credit cards information for at least five months with a total of 105 websites already infected with the malicious JS, they believe this number could be higher than what appeared on their radar.

Just yesterday, a user posted on a forum that his Magento website was also hacked recently and attackers secretly injected a credit card stealing script from the same domain, apparently a separate variant that has not yet been listed on the 360 NetLab website.

Since attackers usually exploit known vulnerabilities in online e-commerce software to inject their malicious scripts, websites administrators are highly advised to follow best security practices, such as applying latest updates and patches, limiting privileges for critical systems and hardening web servers.

Website admins are also advised to leverage Content Security Policy (CSP) that effectively allows to take strict control over exactly what resources are allowed to load on your site.

Meanwhile, online shoppers are also advised to regularly review their credit card and bank statements for any unfamiliar activity. No matter how small unauthorized transaction you notice, you should always and immediately report it to your bank immediately.


The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.