#1250834: Malicious Javascript Active on FILA UK and Other Websites

Description: Payment card data of thousands of online shoppers has been stolen at checkout via malicious JavaScript code cybercriminals embedded in seven websites and which continues to collect and deliver the information the crooks.

Among the websites actively leaking customers' sensitive data to an unauthorized third party is FILA UK, likely since November 2018, when it was compromised.

Thieving script active on multiple websites
It is estimated that at least 5,600 shoppers of FILA sportswear had their payment and personal details stolen by now. At the moment, every new customer of the website has the same fate.

Six more websites in the US put their customer's card data at risk just like FILA's UK website. All of the below are running the malicious JavaScript code at checkout:

- Jungle Lee home design shop

- Forshaw pest management products store

- Absolute New York cosmetics seller

- Safe Harbor Computers shop for video editing and animation computer gear

- GetRXd training equipment store are all running the malicious JavaScript code at checkout.

- Cajun Grocer online grocery store

The script was discovered early this month and dubbed GMO by Group-IB, a company that specializes in preventing cyber attacks. The name comes from 'gmo[.]li', a domain registered on May 7, 2018, the threat actor uses to exfiltrate the data. The researchers found the malware by automatically checking HTML code on a large number of websites.

Some possible methods to place the script on the victim website include exploiting a vulnerability in the Magento e-commerce platform used by the stores or by "compromising the credentials of the website administrator using special spyware or cracking password with brute force methods," says Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB.

The security outfit tried to alert the affected parties of the compromise, but none of them replied, despite several notifications.

"Group-IB reported about the possible breach to local authorities in the UK and US as well. As of March 14th, GMO sniffer has not been removed on all of these websites," a company representative told BleepingComputer.

Web skimmers and the groups behind them
Also known as a 'sniffer' or 'web skimmer,' the code is designed to capture payment card data on a checkout page; the package is then delivered to a server and collected by the cybercriminals.

The groups engaged in this type of card-scraping campaigns have been active since 2015, and are known by the name MageCart, given by security company RiskIQ. Some of the big-name victims are British Airways, TicketMaster, OXO, and Newegg.

RiskIQ distinguishes between at least 12 MageCart groups, each having different tech skills and running malware with various levels of sophistication.

Group-IB keeps track of the families of JavaScript Sniffers, which can be developed and used by a single group, or sold/rented on underground forums to other threat actors.

"Since in some cases it is difficult to determine how many people use the sniffer, Group-IB experts call them families, not groups or threat actors," a company spokesperson told us, adding that there could be more than 30 different groups slinging this type of malware.

The GMO family of JS Sniffers was injected manually on the victim websites, which suggests a young actor, Group-IB told us, that has not appeared in previous reports and used only one domain so far.

This does not mean that it is also unknowledgeable because it relies on several techniques to hide the malicious activity.

It can detect running web developer consoles (Firebug and Google Chrome Developer Tools) and the URL to the malicious JavaScript and data storage location is encoded using base64 encoding scheme. However, GMO does not use obfuscation for the script, which makes it obvious even at a cursory check.

In their research, Group-IB found 38 distinct families of JS Sniffers. The company says that researchers are working on a report that analyzes the activity of 15 groups, nine of them being new on the public scene.
More info: https://www.bleepingcomputer.com/news/security/malicious-javascript-active-on-fila-uk-and-other-websites/

Date added March 15, 2019, 9:36 a.m.
Source Bleeping Computer
  • .Credit Card, Chip & Pin Threats, Fraud etc.
  • Credit Card Fraud / Card-not-present / Card not present Fraud (see also Industry- Banking folders)
  • Latest Global Security News
  • News United Kingdom
  • Retail / Supply Chain Industry Alerts
Country UK