According to the latest research from Malwarebytes, many of the websites selling branded sneakers aren’t as reliable as we think they are.
Research suggests that there are hundreds of fake branded shoe websites that are infected with credit card skimmer, which is a type of malware that skims financial data from payment cards that users provide at the time of checking out. The websites that run the old and outdated versions of Magento and the PHP programming language are the key targets of this campaign.
An analysis of these fake websites revealed that all had something or the other in common. Such as, either these ran similar templates using outdated Magento version or PHP programming language. It is believed that attackers were most probably looking for fake websites to inject malware and were lucky to find so many.
“I think it’s an automated scanner that happened to crawl those IP ranges and because all sites are pretty much a copy of each other (and all outdated), it had a field day”, stated Jérôme Segura, Malwarebytes’ threat intelligence researcher in their blog post.
Malwarebytes claims that this is a large-scale hacking campaign launched to steal the credit cards of unsuspecting users. The injection of malicious scripts into the websites is known as the Magecart attack in which a hacker breaches the security of an online store to steal information of payment cards used by the shoppers while placing an order. The information is later transferred to a remote server owned and operated by attackers.
The fake stores are selling all kinds of branded shoes including Nike and Addidas but what’s worse is that these counterfeit websites are not only indexed in popular search engines but also promoted intensely via posts on different fitness, sneaker, branded shows, and streetwear related forums. The content of each post is modified according to the forum and includes backlinks to the infected website.
We saw an increase in credit card skimming activity for Black Friday and Cyber Monday, but not as much as anticipated.
— MB Threat Intel (@MBThreatIntel) December 3, 2019
Most of these websites are still actively operating, which is why Malwarebytes researchers managed to inspect them easily for malware. They identified that the malicious scripted are dubbed translate.js and the source code on the fake site’s checkout page was /js/mage/translate.js while the domain name used to host some of these sites is based in Russia (91.218.113[.]213 and 220.127.116.11/24).
If you are someone who is a fan of online shopping watch out for such scams and always search about the website you are about to shop on. You can do that by simply Google the URL of the web store or scan its link on VirusTotal. The best thing in this scenario is to shop from official stores rather than third-party ones.