Hundreds of counterfeit online shoe stores injected with credit card skimmer

There’s a well-worn saying in security: “If it’s too good to be true, then it probably isn’t.” This can easily be applied to the myriad of online stores that sell counterfeit goods—and now attract secondary fraud in the form of a credit card skimmer.

Allured by great deals on brand names, many people end up buying products on dubious websites only to find out that what they paid for isn’t what they’re getting.

Anti Spy Privacy Tempered Glass Screen Protector For iPhone XR XS 11 PRO MAX 8 7

$0.99
End Date: Friday Jan-24-2020 9:44:42 PST
Buy It Now for only: $0.99
Buy It Now | Add to watch list

Anti Spy Privacy Tempered Glass Screen Protector For iPhone XR XS 11 PRO MAX 8 7

$3.95
End Date: Friday Jan-24-2020 9:44:42 PST
Buy It Now for only: $3.95
Buy It Now | Add to watch list

We recently identified a credit card skimmer injected into hundreds of fraudulent sites selling brand name shoes. Unfortunate shoppers may not only be disappointed with the faux merchandise, but they will also relinquish their personal and financial data to Magecart fraudsters.

Counterfeit shoes by the truckload

Think of the web as a never-ending whack-a-mole war between brands, security teams, and fraudsters—as legitimate companies work with security to take down one counterfeit site, another soon pops up.

One way fraudulent sites receive traffic is via forum spam. Crooks troll sporting and fitness forums and leave messages to entice users to visit the fake store:

Here’s that same counterfeit site selling Adidas, Nike, and other big brand name sneakers:

trainersnmd[.]com is hosted in Russia at 91.218.113[.]213. Looking at the 91.218.113.0/24 subnet, we can see many more domains used in the same counterfeit business.

Some of those domains were taken over and replaced with a serving notice. For example in May 2019, Adidas filed a complaint for injunctive relief and damages against hundreds of fake Adidas stores.

Mass credit card skimmer injection

The skimming code was appended to a JavaScript file called translate.js. (A full copy of the deobfuscated skimmer can be found here.)

Stolen data, including billing addresses and credit card numbers, is exfiltrated to a server in China at 103.139.113[.]34.

What’s interesting is that this is actually a massive compromise across several IP subnets:

A cursory look at several domains using Sucuri’s SiteCheck revealed they are using the same outdated software:

Magento under 1.9.4.2PHP under 5.6.40It’s likely a malicious scanner simply crawled those IP ranges and used the same vulnerability to compromise each and every one of those counterfeit sites.

Online shopping and its risks

Shopping online these days is akin to walking into a minefield, yet many people aren’t aware of the dangers lurking behind every corner.

Based on our crawlers, we see new e-commerce sites fall victim to web skimmers every day. Looking at our telemetry, we can also correlate the number of web blocks to shopping patterns, such as Black Friday and Cyber Monday events.

We saw an increase in credit card skimming activity for Black Friday and Cyber Monday, but not as much as anticipated.Many online stores were running deals for some time prior, even since late Oct.#Magecart #skimming #BlackFriday #CyberMonday pic.twitter.com/0DEMFXwjPa— MB Threat Intel (@MBThreatIntel) December 3, 2019As we saw in this post, counterfeit sites pose a double threat, not only from obtaining illicit goods but also getting robbed of data by a different group of criminals.

While we cannot completely eliminate the threat of digital skimmers, here are some tips on how to reduce the risks associated with online shopping:

Make sure that your computer is malware-free and running the latest patches. Leverage a security product that offers web protection. Malwarebytes’ flagship anti-malware product, as well as its newly introduced (and free) Browser Guard extension for Chrome and Firefox can thwart Magecart-related skimmers by blocking malicious scripts and websites from loading, as well as exfiltrating, data. If you are shopping on a site for the first time, check that it looks maintained. While this does not replace a thorough security scan, seeing notes such as “Copyright 2015” may indicate that the website is not really being looked after. Minimize how often you enter your credit card data by relying on other payment methods instead. For example, large reliable online retailers, such as Amazon already have your payment details archived into your account. Other safe methods include Apply Pay or prepaid Visa or Mastercards. Check your bank/credit card statements regularly to identify potentially fraudulent charges. Help prevent further attacks by reporting any fraudulent activity (especially if you were victim) to law enforcement authorities.Indicators of Compromise (IOCs)

Counterfeit sites injected with skimmer

180workshoe[.]com1freshfoot[.]com2018nmd4u[.]com234learnshoe[.]com270takeshoe[.]com365daysshoe[.]com5923shoe[.]com97saleweekly[.]com987lateshoe[.]comadsmithfwt[.]comacheterftwr[.]comaddrubber[.]comairmaxweekly[.]comallsizeshoe[.]comadnkclub[.]comashshoeslink[.]comapparentshoe[.]comauflaufschuh[.]comutgumnshoes[.]comawsnkrs[.]combajasprecio[.]combasketouve[.]combestkixify[.]combeastsole[.]combest7now[.]combestshoesbf[.]comblanchenmd[.]comblazersoldes[.]comboostrunner[.]comboutiquesnks[.]combrandingsit[.]combreakerun[.]comcageforlock[.]comcestboncony[.]comcaretosole[.]comchamprun95[.]comchaussureplace[.]comcisalfaports[.]comchamdot[.]comchaussureprofile[.]comcolourmvp[.]comcompraestilos[.]comcloserpremium[.]comcloserselect[.]comcontinuefeet[.]comcomfyftwr[.]comcusmakeit[.]comcouleurmvp[.]comcourtadv[.]comdamesbedoor[.]comddtows[.]comdeeruptshoe[.]comdescubra19[.]comdocvab[.]comdonnescontate[.]comdividesneakers[.]comdonectory[.]comdryyourfoot[.]comeaseweekly[.]comeasyfootrun[.]comenergeticshoe[.]comelementsthat[.]comentryonlike[.]cometernalapt[.]comevidentshoe[.]comfebdate[.]comfarbasefull[.]comfarbenrun[.]comfarvefit[.]comfleunderride[.]comfewusedit[.]comfootbester[.]comfootrunclub[.]comfootsweek[.]comfootstijl[.]comfootstil[.]comfootstylish[.]comforeasyon[.]comfor1sell[.]comfreernshoe[.]comfutureitblue[.]comfutureoiwill[.]comfuturenishoes[.]comfutureyouto[.]comgelbneu[.]comgeschenkein[.]comgetgshoes[.]comgetbetternl[.]comgoldsoldes[.]comgrauwearim[.]comgrijsentop[.]comgoingtopurchase[.]comgrigiotopsu[.]comgreyheel[.]comgsnkrs[.]comguldafdk[.]comheadrebajas[.]comhererunner[.]com

hjrshoe[.]cominikirun[.]usiweardam[.]comjtsportsde[.]comjustshopclub[.]comkaiisko[.]comkaufenftwr[.]comkaischuhe[.]comkickfrstore[.]comkickscrewstore[.]comkickstienda[.]comkickvapor[.]comkickswinkel[.]comkixifyshop[.]comkixifyrun[.]comkixifystore[.]comkleurmvp[.]comkleurschuhe[.]comlaufschuhebeste[.]comlinrubsole[.]comlobeskoruns[.]comlony19[.]comlowesthalf[.]comluckyisport[.]commaxformob[.]commanifestshoe[.]commaximummost[.]commetyshoes[.]commjftoods[.]commindedshoe[.]commonitornon[.]commsnkrs[.]comnairschoenen[.]comnairchaussure[.]comnairscarpe[.]comnairschuhe[.]comnettstil[.]comnetwhilesale[.]comnewseftwr[.]comnewfeetreal[.]comnewmaxreal[.]comnewshoesreal[.]comnewstylereal[.]comnewwholereal[.]comnicestijl[.]comnicestil[.]comnieuwekaufe[.]comnicestilebay[.]comnicestylebay[.]comniceventefr[.]comnmdforfemme[.]comnmdrosare[.]comnieuwekaufen[.]comnmd5club[.]comnmdnoir[.]comnmdpksneaker4u[.]comnmdoriginals[.]comnmdreplace4u[.]comnmdtrainers[.]comnoticeableshoes[.]comnoteystore[.]comnuevorunning[.]comnrdunkzpa[.]comnrunnersale[.]comnouveauhaven[.]comnuevoshoe[.]comnuovehaven[.]comobviousshoe[.]comoffwschuhe[.]comoplev19[.]comoroshoesit[.]comordinarytrend[.]comoroboostpas[.]comoutlet3prix[.]comoutletsfire[.]comparticleprovide[.]compaschernoir[.]comperpetuallook[.]compearlshoeslink[.]comperpetualfree[.]comphlshoe[.]compickonsneakers[.]compinkshoeslink[.]componashoes[.]comporsneakers[.]compremiumnuevo[.]composhseeking[.]comprofilesshoe[.]comprophereshoe[.]compsbeautytre[.]comracersho[.]comrunnerfr[.]comozemetoen[.]comrosakopen[.]comrun4kick[.]comrubberplat[.]comrunnerdry[.]comrunstormon[.]com

saledksko[.]comsaldifire[.]comsarezalando[.]comscarpekingdom[.]comscarpe-new[.]comscarpastate[.]comschoenenbeste[.]comschoenenprofile[.]comschuherunlau[.]comschuhesize[.]comschuhneu[.]comschuheplace[.]comschuheprofile[.]comscopri19[.]comshowam97[.]comshoehallrun[.]comsizehaven[.]comshowschuh[.]comskorunvit[.]comsjjshoe[.]comskoprofile[.]comskonmd[.]comsnadnket[.]comsneakerbyside[.]comsneakerebe[.]comsneakerees[.]comsneakermodelli[.]comsneakerunow[.]comsnkrsstrike[.]comsnugfree[.]comsnstuff[.]ussortheads[.]comsort5sko[.]comsportkopen[.]comsportinghave[.]comsportopwears[.]comsports-be[.]comsportsalebay[.]comsportsneu[.]comsportsonfr[.]comsports-ha[.]comstayonlinese[.]comsprishoes[.]comstartingnice[.]comstreetcolouring[.]comstripeschuhe[.]comstuffnuevo[.]comstuffkicks[.]comstuffkopen[.]comstuffoutfr[.]comstuffpknit[.]comstyleftwr[.]comstvprxsko[.]comstyleschoen[.]comstyleschuh[.]comstylezapato[.]comsuitableshoe[.]comswzoomsch[.]comtexmedever[.]comtehshoes[.]comtakerightback[.]comtedschuhe[.]comthegodwillout[.]comthxshoe[.]comtiendaout[.]comtosomtosideaway[.]comtrainernmdcbk[.]comtrainersnmd[.]comtstripeseqt[.]comuomoweekly[.]comusesmoother[.]comusualshares[.]comvaluablemax[.]comvertchausfr[.]comverstaleshoes[.]comvtfreencs[.]comvvvfabrices[.]comwalkingnice[.]comwearingselect[.]comwillgoout[.]comwillrunalong[.]comwillrunout[.]comwillhiking[.]comwinatershoes[.]comwmboost[.]comwithnormal[.]comwilltrval[.]comwitroze[.]comwmsnkrs[.]comwsnkrs[.]comzapatosnmd[.]comzwtnlzsen[.]com

Skimmer

103.139.113[.]34
The post Hundreds of counterfeit online shoe stores injected with credit card skimmer appeared first on Malwarebytes Labs.





Click here for best antivirus and antispyware software

Powered by WPeMatico