Article 4B3CT A new rash of highly covert card-skimming malware infects ecommerce sites

A new rash of highly covert card-skimming malware infects ecommerce sites

by
Dan Goodin
from Ars Technica - All content on (#4B3CT)
payment-card-800x534.jpg

Enlarge (credit: Daniel Foster / Flickr)

The rash of e-commerce sites infected with card-skimming malware is showing no signs of abating. Researchers on Thursday revealed that seven sites-with more than 500,000 collective visitors per month-have been compromised with a previously unseen strain of sniffing malware designed to surreptitiously swoop in and steal payment card data as soon as visitors make a purchase.

One of those sites, UK sporting goods outlet Fila.co.uk, had been infected since November and had only removed the malware in the past 24 hours, researchers with security firm Group-IB told Ars. The remaining six sites-jungleeny.com, forshaw.com, absolutenewyork.com, cajungrocer.com, getrxd.com, and sharbor.com-remained infected at the time this post was being reported. Ars sent messages seeking comment to all seven sites but has yet to receive a response from any of them.

Group-IB has dubbed the JavaScript sniffer GMO after the gmo[.]il domain it uses to send pilfered data from infected sites, all of which run the Magento e-commerce Web platform. The researchers said the domain was registered last May and that the malware has been active since then. To conceal itself, GMO compresses the skimmer into a tiny space that's highly obfuscated and remains dormant when it detects the Firebug or Google Developer Tools running on a visitor's computer. GMO was manually injected into all seven sites, an indication that it is still relatively fledgling.

Read 7 remaining paragraphs | Comments

index?i=Y8CKQHvU3SY:qiisXvkVqtU:V_sGLiPB index?i=Y8CKQHvU3SY:qiisXvkVqtU:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments