Popular ecommerce sites have been infected with web-based keyloggers that are being used to steal credit card data as it’s entered into online checkout forms. More than 100 compromised sites have been identified, but the number could be in the thousands, researchers said.
RiskIQ, in collaboration with ClearSky, published their findings (PDF) Thursday, and said some of the ecommerce sites impacted include Everlast Worldwide, the Australian ecommerce site for apparel giant Guess and Fidelity Investments’ FidelityStore, a site maintained by a third-party firm SwervePoint.
In a statement to Threatpost, Fidelity Investments said the site is not one that “serves our customers or the general public” and is “hosted, managed and operated by a third-party vendor and is separate from Fidelity’s technology infrastructure, including the infrastructure that serves our customers.” It added it wasn’t aware of anyone affected “by this issue.” Everlast Worldwide declined to comment and representatives from SwervePoint and Guess did not reply to requests for comment.
The campaign is tied to a single unidentified hacking group, RiskIQ said, that began its most recent wave of attacks in March. Many of the sites are still actively stealing credit card data, according Darren Spruell, threat researcher at RiskIQ.
RiskIQ warned an undisclosed number of sites impacted by the vulnerability. However, Spruell said, only a tiny fraction acknowledged being notified.
“When someone makes a purchase and enters their credit card data at these sites, that data is stolen and sent back to attackers in real time,” he said.
Researchers say many of the hacked ecommerce websites run the open source Magento ecommerce platform. Earlier this summer, researchers at Sucuri identified an uptick in the use a new variant of a web-based keylogger, also called a credit card stealer, which stole credit card data in real time from the Magento ecommerce platform. However, RiskIQ said hackers behind this most recent wave of attacks are similar but are targeting additional ecommerce platforms such as Powerfront CMS and OpenCart.
Spruell said it isn’t clear what vulnerability attackers are exploiting, but added it could be any number of vulnerabilities within the server stack that would allow malware to be installed.
While web-based keyloggers and credit card stealers aren’t uncommon, RiskIQ believes these types of attacks are on the rise. Since March the threat actors behind this most recent campaign have grown more sophisticated; opting to use bulletproof hosting services and attacking a wider range of ecommerce platforms.