The rash of e-commerce sites infected with card-skimming malware is showing no signs of abating. Researchers on Thursday revealed that seven sites—each with more than 500,000 collective visitors per month—have been compromised with a previously unseen strain of sniffing malware designed to surreptitiously swoop in and steal payment card data as soon as visitors make a purchase.
One of those sites, UK sporting goods outlet Fila.co.uk, had been infected since November and had only removed the malware in the past 24 hours, researchers with security firm Group-IB told Ars. The remaining six sites—jungleeny.com, forshaw.com, absolutenewyork.com, cajungrocer.com, getrxd.com, and sharbor.com—remained infected at the time this post was being reported. Ars sent messages seeking comment to all seven sites but has yet to receive a response from any of them.
The Magecart crime bonanza
In a testament to just how popular the crime has become, a researcher from security provider Malwarebytes in November found a single site that was infected by two different card skimmers. In an email Thursday, Jérôme Segura—the Malwarebytes researcher behind that finding—noted a Brazilian Fila website was previously found to be infected and that some of the domains used in the attack were the same as ones found in the compromise he discovered.
Segura went on to say Group-IB’s findings were consistent with this archived scan of the Fila UK site and the screenshot below, which he took Thursday morning while visiting absolutenewyork.com.
The rise of card-skimming malware infecting popular sites comes as the plummeting price of cryptocurrencies has left criminal hackers scrambling for new sources of revenue. Through a company spokesman, Nicholas Palmer, vice president of international business at Group-IB, told Ars that GMO is one of the 15 families of sniffers Group-IB has recently discovered and plans to detail in an upcoming research paper. Thursday’s report indicates that the Magento-style crime wave is showing no signs of slowing down.
“People should understand that, despite its simplicity, JS Sniffers shouldn’t be underestimated,” Palmer told Ars. “Ticketmaster, British Airways, and Fila proved that any e-commerce business around the world is vulnerable to this type of attack. And not only online stores get affected, but also payment systems and banks whose clients suffer from payment data leaks.”
People who make a fair number of online purchases may want to consider using temporary cards that have small, fixed lines of credit. All payment-card users should carefully check their statements every month for fraudulent charges.