Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Hit 6,000 Sites On Active 18-Month Carding Spree (theregister.co.uk)

Posted by BeauHD on from the shopping-spree dept.

mask.of.sanity writes from a report via The Register: Hackers have installed skimming scripts on more than 6,000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. The malware is infecting stores (full list) running vulnerable versions of the Magento ecommerce platform, and also compromised the U.S. National Republican Senatorial Committee store. "Given that there are [about] 5,900 other skimmed stores, and the malpractice has been going on since at least May last year, I would expect the number of stolen cards in the hundreds of thousands," said Dutch developer Willem de Groot. You can read his blog post to learn more.

15 of 39 comments (clear)

  1. Dead Link by mallyn · · Score: 1
    Folks:

    Your link at: https://gist.github.com/gwille... is dead. Please ensure that this is correct.

    Thank you.

    --
    Most Respectfully Yours Mark Allyn Bellingham, Washington
    1. Re:Dead Link by Anonymous Coward · · Score: 1

      Yep. Although at least the second link seems to have been captured by the wayback machine:

      http://web.archive.org/web/20161014133252/https://gitlab.com/gwillem/public-snippets/snippets/28813

    2. Re:Dead Link by Nutria · · Score: 1

      14kgoldteeth.com

      WTF?

      --
      "I don't know, therefore Aliens" Wafflebox1
    3. Re:Dead Link by Anonymous Coward · · Score: 1

      GitHub censored his research and advisories, and deleted the posts. He has moved to GitLab, which most people should be doing anyway given GitHub's cultural issues.

    4. Re:Dead Link by Anonymous Coward · · Score: 1

      Is that the place where the SJWs threw a fit over a sign that said "meritocracy"?

      Yes, and where SJWs tried to force a "Code of Conduct" onto developers, and where SJWs have appeared in droves pulling stunts like trying to get contributors removed for their personal beliefs that have nothing to do with their project, and throwing victim tantrums because their pull requests weren't accepted. The site and its employees encourage this garbage.

    5. Re:Dead Link by jcr · · Score: 1

      Holy crap, that "djangoconcardiff" character sounds awfully desperate for attention.

      -jcr

      --
      The only title of honor that a tyrant can grant is "Enemy of the State."
  2. Re:So basically by Nutria · · Score: 1

    "few decades" is a bit of a stretch. "15 - 20 years" is much more reasonable.

    --
    "I don't know, therefore Aliens" Wafflebox1
  3. Everyone who deployed Magento instead of hiring me by Narcocide · · Score: 1

    Told you so. Idiots. Who's untrustworthy now?

  4. They missed thousands of stores! by Gravis+Zero · · Score: 1

    There are at least 3,500 other skimmed stores. That's right, there are over 9000! ;)

    --
    Anons need not reply. Questions end with a question mark.
  5. Card number disclosure by manu0601 · · Score: 2

    Why do the stores have to see the card numbers? Each time I purchase online, the store redirects me to a payment site tied to its bank.

    1. Re:Card number disclosure by Anonymous Coward · · Score: 1

      Why do the stores have to see the card numbers? Each time I purchase online, the store redirects me to a payment site tied to its bank.

      Well, they took entire control of the websites, so it wouldn't have changed anything.

      They could redirect you to a fishing website looking like an existing bank with a similar URL, and they could process the legitimate payment at the same time (and if they don't for some reason, they can still easily move your order forward as if the legitimate payment got through, and get away with it until the store notices they aren't actually receiving money on their account anymore... I suppose most small stores don't check everyday...).

      The solution would be to restrict payment processing to a known list of independent intermediaries, and having your browser check it before entering your card info. Well, until they get compromised too. Or your browser. Or your computer. Or your router/modem.

      Still, many things are easily possible to at list reduce the risks. But most people, both professional and private individuals, simply don't do anything, or far too little. Most don't even really understand anything about all this, even though it's talked about so much from a long time. And it's not really that much about money or time. Everything is just completely messed up in this world. It's just insanity.

    2. Re:Card number disclosure by illtud · · Score: 1

      Many, many sites don't, and this doesn't grab your card details server-side, it serves up some JS that makes your browser send the card details to $BADIP as you enter it.

  6. Updated host and link by klui · · Score: 1

    Update: http://gwillem.gitlab.io/2016/...

    Link: https://gitlab.com/gwillem/pub...

    1. Re:Updated host and link by cruff · · Score: 1

      This link returns a 404 now also.

  7. Re:Where does the payment data go? by grumling · · Score: 1

    http://www.noagendashow.com

    --
    "Well, good luck finding a judge that doesn't run a bestiality site."