Update Oct 17th: already 841 stores have been fixed! Thanks to everybody who tirelessly notified and fixed stores.
- Online card skimming is up 69% since Nov 2015
- Multiple groups involved
- Merchants are unaware
Last week I showed how the Senate Republicans were skimmed for 6 months (and then it was quietly fixed). But this is just one example of thousands of stores that have been compromised and are still being skimmed.
How it works
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.
Online skimming gains popularity
Online skimming is a new form of card fraud. In November 2015, the first case was reported. Upon investigating, I scanned a sample of 255K online stores globally and found 3501 stores to be skimmed. It is now ten months later. Are the culprits in jail yet? Not quite, here are the numbers of compromised stores:
Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).
754 stores who are skimming today, were already skimming in 2015. Apparently you can skim cards undisturbed for months.
Update Oct 14: 631 stores have been fixed, good work everybody!
Culprits get professional
In 2015, reported malware cases were all minor variations of the same code base. In March 2016, another malware variety was discovered (report in Dutch). Today, at least 9 varieties and 3 distinct malware families can be identified (see my collection of samples). This suggests that multiple persons or groups are involved.
To trick the casual observer, the malware has sometimes been disguised as UPS code:
Another sign of malware sophistication is the maturity of the payment detection algorithm. The first malware just intercepted pages that had
checkout in the URL. Newer versions also check for popular payment plugins such as Firecheckout, Onestepcheckout and Paypal.
Replies from worried merchants
I have manually reported several compromised shops and got some curious responses:
We don’t care, our payments are handled by a 3rd party payment provider
Or, even better:
Our shop is safe because we use https
New cases could be stopped right away if store owners would upgrade their software regularly. But this is costly and most merchants don’t bother.
Besides, that would not repair the current hausse of abuse. While stores could be contacted on an individual basis, it is a lot of work and nobody does it. Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants. But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation. I have submitted all my malware samples to Google’s Safe Browsing team but only a small part of the detected malware has been blocked so far.
Are you a merchant?
If your store is compromised (check MageReport), find a competent programmer or development agency and send them here: how to recover a hacked store. In some jurisdictions you might have to report these security breaches to the government (see law in The Netherlands or United States).
If you have cleaned your store, send me an email and I will gladly remove your site from my data.
- Technical dissection of one malware family
- Culture and economics of credit card laundering
- Republicans were skimmed for 6 months and quietly fixed their store
- First discovery of online skimming
(The post has been translated with explicit permission of nighly secure)