Credit card skimmer infects hundreds of fake online shoe stores to steal payment information

  • Cybercrooks troll sporting and fitness forums and leave behind messages to lure users to visit fake stores.
  • Some of the known brands included in the counterfeit site are Adidas, Converse, and Nike.

Cybercriminals have found a new tactic to trick users with faux merchandise and steal payment card details.

What’s the matter?

In new research from Malwarebytes Labs, it has been found that hundreds of fraudulent sites selling branded shoes are injected with a credit card skimmer. The purpose of the attackers is to steal both personal and financial data from shoppers by tricking them into visiting these fake merchandise retail shops.

How are shoppers redirected?

  • Researchers note that “One way fraudulent sites receive traffic is via forum spam.” Cybercrooks troll sporting and fitness forums and leave behind messages to lure users to visit fake stores.
  • Some of the brands included in the counterfeit site are Adidas, Converse, and Nike.
  • One of the fake online stores identified is trainersnmd[.]com. The domain is hosted in Russia at 91.218.113[.]213.

About card skimmer

  • The skimming code injected to the sites is appended to a JavaScript file called translate.js.
  • These infected sites use outdated Magneto (prior to version 1.9.4.2) and PHP (version 5.6.40) software. This enabled the attackers to exploit the existing vulnerabilities and inject the card skimming malware.
  • The malware steals several credit card details such as billing addresses and credit card numbers.
  • Once compromised, the details are exfiltrated to a server in China at 103.139.113[.]34.

The bottom line

Counterfeit sites pose a double threat to online shoppers. Therefore, shoppers should ensure the legitimacy of the site before visiting it.

The research highlight,” If you are shopping on a site for the first time, check that it looks maintained. While this does not replace a thorough security scan, seeing notes such as “Copyright 2015” may indicate that the website is not really being looked after.”

It is also important to make the computer malware-free by running the latest patches and using security products that offer web protection.