back to article Hackers pop 6000 sites on active 18-month carding bonanza

Hackers have installed skimming scripts on more than 6000 online stores and are adding 85 each day in a wide-scale active operation that may have compromised hundreds of thousands of credit cards. Dutch developer Willem de Groot found the malware infecting stores running vulnerable versions of the Magento ecommerce platform. …

  1. Destroy All Monsters Silver badge


    I'm not saying it's state-sponsored, but it's probably state sponsored.

  2. frank ly


    I don't pay by credit card online often but I seem to remember that the CC entry and acceptance was dealt with by one of a small number of global service providers who's names were familiar and I was redirected to their site for payment, then back to the vendor site after acceptqance. Are these breaches at sites who have their own CC payment systems and don't use the big providers?

    1. tiggity Silver badge

      Re: Details

      .. You hope you were redirected to their site and not a harvesting clone site.

      I despise the flawed JavaScript & site redirect centric models used in credit card payments on so many sites.

      It's not a good thing that users get so happy with the idea of being sent "off site" for payments as makes it far easier for malicious attacks to do exactly the same and appear legit to the user (not helped by the cryptic names of some of the payment sites which do not exactly instil confidence).

    2. Anonymous Coward
      Anonymous Coward

      Re: Details

      I've worked on Magento sites that were configured to accept CC numbers directly, then charge the card (through a big provider) via server-to-server API. Then only real security requirement was that the sites use HTTPS.

      This is even worse than the redirect APIs you speak of. CC data passes through the site in plaintext, and some may store it in a databse for future payments. Skimming cards is a simple matter of inserting some rogue PHP code. It can only be detected by version control / file comparison tools on the server (which these sites rarely use), not by outside scanning tools or wary customers.

  3. Captain Badmouth


    The Symantec security seal would be more effective if it was an actual marine mammal doing the job.

  4. Anonymous Coward
    Anonymous Coward


    'we are safe because we use https'

    S means secure. Hahahahahahaha. Best thing for hackers since PHP.

  5. W Donelson

    Not good. A war with Russia, cyber or Syria, would be terrible for everyone.

  6. Siv

    The link to the list of affected sites has been removed from Github

    I wanted to see if any of the sites I use have been compromised and when you follow the link here or the one on Slashdot both end up with a github 404 error.

    Can someone re-instate the page with the affected sites as it's votal information!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021