The problem underscores the importance of keeping e-commerce software up to date, a security expert says.
Malware that captures credit card numbers as customers enter them online—the internet equivalent of skimming devices used to steal credit card numbers
at self-serve gasoline pumps and
retail stores—is a widespread problem, according to Dutch researcher Willem de Groot, co-founder and head of security at Amsterdam-based hosting and e-commerce platform provider
byte.
Hackers had, as of earlier this month, gained access to the source code of 5,925 websites and inserted malware that captures newly entered credit card information and sends it to another server, according to an analysis by de Groot. The websites include many e-retailers worldwide, along with government sites and others that accept credit card payments.
In
a blog post updated Oct. 17, de Groot writes that 841 of those store sites had been fixed as of that date, though it is possible that other sites continue to be infected. He posted an up-to-date list of compromised online stores
here. His analysis of the malware is
available here.
“It’s a pretty clever attack,” says Ryan O’Leary, vice president, threat research center and technical support for
WhiteHat Security Inc. in Santa Clara, Calif. Unlike a large data breach, he says, the “card-skimming” malware does not create a surge in online traffic that might tip off a website owner; it could exist on a website for a long time without being noticed.
But how does it get there in the first place? O’Leary says there are two probable avenues of attack, each of which could be closed off if website owners were more vigilant.
The easiest way into a website’s source code, he says, is via bad administrative passwords—those that are easily guessable (“password,” for example, is a bad password, as is the street number of a company’s headquarters), or are obtained in some other way. In some cases the passwords that administrators use on unrelated websites—such as those for banks or retailers they do business with as customers—are the same passwords they use at work, O’Leary says. So, if an administrator’s personal passwords are compromised in a breach of another website, the business could have a problem.
Another way hackers get into a retailer’s code, O’Leary says, is by exploiting known vulnerabilities in open-source or other website software platforms—such as Magento—that are widely used by businesses that sell online. With open-source programs, the source code is freely available to anyone to access, modify and improve. After a software provider learns about vulnerabilities, it usually offers patches and updates fairly quickly, he says. Whether businesses s apply those patches and updates is another matter. Hackers look for websites using out-of-date software and then enter via doors left open by the site administrators.
“Patch software, that’s my No. 1 piece of advice,” O’Leary says.
But patches and updates alone won’t keep an e-commerce site safe, even with good administrator passwords, O’Leary says. E-commerce sites also need to use tools designed to look for vulnerabilities, including those that web developers inadvertently program into the sites they build. WhiteHat sells a yearly service to identify such vulnerabilities, but O’Leary says free tools like
Burp Suite also can be helpful for e-retailers.
According to
a recent study from WhiteHat, 50% of all retail sites have at least one serious vulnerability at all times and the average retail site has 13 serious vulnerabilities and 23 total vulnerabilities at any given time. The average retailer takes 205 days to fix a website vulnerability, according to the report.
This is troubling because the goal of e-retailers should be to keep hackers from getting into a site’s code in the first place, not finding and purging malware once it’s present, O’Leary says. That is a challenge, he says, because web developers tend to focus on making a website work properly and might overlook all the ways a site’s functionality could be misused. For example, O’Leary has encountered online banking software that allowed users to send negative amounts of money to someone else’s account—thus, sending cash the other way, to the malicious user’s account.
O’Leary says he cannot corroborate the number of websites hit by the malware discovered by de Groot, but he has no reason to doubt de Groot’s research or the size of the problem.
“Malware like this can spread very quickly,” O’Leary says.
Among the websites hit by the credit card capturing software was that of the
National Republican Senatorial Committee (NRSC), a Republican Party organization dedicated to helping Republicans get elected to the U.S. Senate. The NRSC collects credit card numbers when it receives online donations or sells merchandise, such as T-shirts, stickers and signs. According to de Groot’s blog and a story on the website
Krebs on Security, the malware—apparently the work of Russian hackers—infected the NRSC’s website from March 16 until Oct. 5. To show how the malware works,
de Groot posted a video on Vimeo, using the NRSC website as an example.
An NRSC spokeswoman would not disclose how long the malware was present on the website or how many credit cards were compromised but said the impact was small.
“The vendor who operates our online store discovered an issue weeks ago that affected an extremely small number of supporters,” the NRSC spokeswoman said. “The problem was fixed immediately and we contacted those who were affected.”
In an Oct. 11 blog post, de Groot writes that the first case of online “skimming” was reported in November 2015 and, at that time, a scan of 255,000 online stores globally and found 3,501 websites were compromised with malware to capture credit card numbers. The problem became worse, growing to 5,925 sites by October, in part because the malicious code is so hard to detect. The online credit card-number capturing can go undetected for months and, in hundreds of cases, it has, according to de Groot. On his blog, he says 754 stores infected by the malware in 2015 were still compromised as of Oct. 11