back to article Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months

A card-skimming Magecart malware infection lingered on a British outdoor clothing retailer's website without detection for nearly eight months despite regular security scans. London-based Páramo told customers last week that it had discovered a "small piece of computer code covertly installed within our website". The warning …

  1. JakeMS
    Stop

    Wait

    How did they not notice this?

    Websites which collect card data (my own incl) deploy many security methods to ensure precisely this does not happen.

    One of the many methods that we (and most others) use is an Intrusion Detection System (In my case, as a small business owner, Tripwire on Linux), this monitors for filesytem changes, including monitoring the websites files.

    This means, if a PHP file is edited, via an exploit or other hack then that file will immediately flag up on the IDS.

    This hack absolutely should have been spotted immediately on their IDS, how did they miss this for so long?

    1. <script>alert('the register');</script>

      Re: Wait

      A website that only has around 3,500 customers in the space of 8 months probably isn't being updated anywhere near as much as you'd hope.

    2. IGotOut Silver badge

      Re: Wait

      It's seems they may of doing the right thing and employing an outside company to check out their systems.

      So the question is why didn't they pick it up?

      1. Captain Scarlet Silver badge

        Re: Wait

        The issue here appears to be when Paypal is called, so unless the company is doing test orders and clicking Paypal the js is never loaded (Services like Qualys WAS).

        If the sourcecode files are scanned, as its offsite the scanner has to scans this external URL (I don't know if there is such an app or service to support this?).

    3. Steve 53

      Re: Wait

      To be fair, they're using Paypal, not processing their own cards. The expectation is that paypal will take care of the security / PCI-DSS as the retailer will never handle to card details. Frankly Paypal shouldn't be offering the option to load in an iFrame - ie an environment they don't control the Javascript for

    4. Anonymous Coward
      Anonymous Coward

      Re: Wait

      An IDS can do many things. However if the file in question was loaded via a path thats not scanned by the IDS, or was uploaded via a method thats legitimate, or was using an exploit that there were no signatures available for at the time of exploit it would never have been able to pick it up. No security system is infallable. You can't just drop in a firewall and/or an IDS and say there you go, we're all secure. Given that there is no detail as to how this malicious code was uploaded to the site in question all we can do is speculate, what we do know however is the compliance company missed this at least twice. I'm guessing that the company in question is conducting a forensic investigation to understand how this happened but I'd be surprised if they release that information to the public.

      1. JakeMS
        Mushroom

        Re: Wait

        It sounds like it was a php file that was put or edited on their server, you can easily configure an IDS to detect this.

        The website files should be monitored, so that - any - file edited, removed or added is noticed. There is no reason this cannot be done. I do this on my website. Tripwire knows the website paths (along with being tailored to the system files).

        Even adding product images trips it in the images category and gives me a list of images added.

        If our custom stripe integration is touched in anyway tripwire will see it.

        Put bluntly, If someone can upload a file to your site, without your knowledge then your environment is not secure enough to collect card data.

  2. Headley_Grange Silver badge

    Quarterly

    I'm no expert in this, but is a quarterly check normal/adequate for this level of security?

    1. mikepren

      Re: Quarterly

      Given that it was operating over 8 months and hence I assume two scans, I'd suggest the frequency wasn't the issue.

      To be fair to the scanning company, you need to understand the terms of reference they were engaged on.

    2. Version 1.0 Silver badge

      Re: Quarterly

      Regular checks are normal but the malware is probably designed to not be seen in a casual check unless someone downloads everything and walks through the code line by line and understands it. The people designing the malware are not stupid; yes they are criminals but this is the Internet, it's common.

      The real question is, so we've found this one - how many more are there out there?

  3. Anonymous Coward
    Anonymous Coward

    I had no idea they had an online shop...

    I'd have thought most people buying Paramo clothing would (under normal circumstances) be buying from physical stores. If you're paying their prices, it's nice to know the coat will fit. (Saying that, I doubt they've sold very much at all in the last couple of months, given that it's for use out on the hills....)

    Paramo is like marmite... you either love their stuff, or you hate it. For the record, I'm in the "love it" camp, but my wife hates it and prefers Goretex coats. (Paramo optimises breathability of the fabric whilst keeping it waterproof(ish), Goretex optimises the waterproofness whilst making it breathable(ish). Different people want different things in a coat for use when out on the hills - I owned a Goretex waterproof for a while and didn't find it to be much more breathable than a £15 pac-a-mac.

    1. Headley_Grange Silver badge

      Re: I had no idea they had an online shop...

      I love it. I use it for cycling and hiking. Its the most breathable kit I've got and I've never got wet wearing it - even after long, wet days out in the Lakes and Scotland. Only downside is that it's a bit heavy, although it can double up as a fleece. They also make law-of-physics defying tee-shirts that either keep you warm or cool simply by turning them inside out. I was sceptical, but the bloke in the shop told me I could bring it back any time in the next 6 months if it didn't work; I've still got it and it works - the only downside being that it gets stinky very quickly.

      Luckily I bought my stuff from the shop cos, as you say, it's expensive and it's nice to get a good fit.

  4. Paul

    I guessed it would be php

    Before I even started reading this I thought "bet it's php" and I was right

  5. Anonymous Coward
    Anonymous Coward

    Javascript again

    Why does the card application permit 3rd party Javascript?

    1. Mike 137 Silver badge

      Re: Javascript again

      Why indeed is any client side processing performed on a card data capture page? A pure HTML form using POST over TLS should be sufficient to collect the data, with all processing server side. Client side processing is open to tampering and always has been.

  6. JCitizen Bronze badge
    WTF?

    PayPal??

    Why would PayPal use a CVV code? Maybe they were directing PayPal to use a credit card on record at PayPal? Seems like using PayPal credit should have solved most of the problem - at least of getting any funds.

    If they can attack a PayPal credit transaction like this without using a credit card, you would be better off using something like the browser app downloaded from Capitol One, that assigns payment to only the retail store you are doing business with. If the crook tries to use the same card data, even with the CVV code,l it will not work and the crook loses. I believe it is called Eno ®

    There are several credit cards with similar features, and even a free well known web site that lets you create a single transaction credit file for doing the same thing. The URL escapes me at the moment, but any web search would easily turn it up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021