Security researchers are warning that the number of e-commerce stores infected with credit card stealing malware has risen 69% over the past year, with many site owners failing to take action.
Dutch researcher Willem de Groot found 3501 online retail sites last year were infected with malicious JavaScript, allowing cybercriminals to siphon off card details to sell on the dark web.
However, the figure has now jumped to 5929, with hundreds of the stores having failed to spot or take action since November 2015.
Victim organizations vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse) and even NGOs (Science Museum).
The malware in question apparently uses multi-layer obfuscation to stay hidden, and scans for popular payment plugins like PayPal and URLs featuring the word “checkout.”
De Groot has actually found three distinct malware families and nine separate variants, indicating that multiple groups are involved. He traced some of the campaigns back to Russia.
The black hats are taking advantage of the fact many e-commerce site owners fail to keep software up-to-date, leaving vulnerabilities that hackers are only too ready to exploit.
The researcher has submitted his findings to Google’s Safe Browsing team but thus far only a small percentage of the detected malware is being blocked.
John Bambenek, threat intelligence manager at Fidelis Cybersecurity, claimed that every day millions of scans are performed on sites looking for routine vulnerabilities that can be exploited to insert malicious code.
“To combat this new type of card fraud known as ‘online skimming,’ commerce sites need to remain vigilant,” he added.
“They can do this by scanning their own websites for Open Web Application Security Project (OWASP) Top 10 vulnerabilities, maintaining a Web Application Firewall – such as mod_security, which is free – and applying patches immediately. These steps may cost retailers in time, but over 90% of exploitations would go away overnight if implemented.”
Ryan O’Leary, VP of WhiteHat Security’s Threat Research Centre, argued that around half of all retail sites have at least one serious security flaw present, which takes on average 205 days to fix.
“The existence of multiple serious vulnerabilities not only increases the total business risk that retail organizations assume, but also the risk that they pass along to users of their vulnerable websites,” he said.
“By prioritising the critical and high–risk security flaws for remediation, retailers stand a good chance of reducing the number of days that serious vulnerabilities remain open to attack."