GOP Website Among Thousands Hit by MalwareSites Have One Feature in Common: Software Vulnerabilities
If you bought a reproduction vintage Reagan-Bush '84 T-shirt earlier this year from a group that raises funds to support Republican Senate candidates, you may want to double-check your credit card statements.
Willem de Groot, a product developer with the Dutch hosting company Byte, found that credit card data from the National Republican Senatorial Committee's online store was siphoned and shipped to a server in Russia. The NRSC's website was just one of 5,900 sites hit by the attacks. Many have now been patched.
E-commerce websites are secure only if they're diligently patched. Attackers often hunt for online stores running popular e-commerce platforms such as Magento, hoping to catch outdated software versions that are vulnerable.
The NRSC fixed its website about two days after de Groot published a blog post. But attackers had been harvesting credit card data between March 16 through Oct. 5 - a long exposure window that means many shoppers could have been hit, de Groot says.
De Groot writes that it's difficult to estimate the number of victims, but the NRSC's store had been receiving 350,000 visits per month. If only 1 percent of those visitors actually purchased something, he estimates that 21,000 card details could have been stolen since March.
"Black market value per card is between $4 and $120, so I assume a modest $30 per card," de Groot writes. "The villains could have made roughly $600K on this store alone."
It's important to note that what de Groot detected doesn't appear to have been specifically intended to cause problems for Republicans along the lines of the hacking woes that the Democratic Party has experienced over the last several months. Rather, the motivation here would appear to be purely financial (see Leaked DNC Emails Show Lax Cybersecurity).
Straight to Russia
The malware installed on the NRSC's site essentially "skims" payment card details. The term is usually applied to physical devices attached to ATMs or payment terminals that copy payment card information encoded on a card's magnetic stripe.
In the case of the NRSC, the card data was sent to two domains that are hosted by a company called Dataflow, which has a Russian-language website, but is registered in Belize, de Groot writes. Dataflow is a tiny operation, with just two IP blocks consisting of 512 IP addresses. Other services hosted on Dataflow don't appear to be very reputable.
"Its owners deserve praise for collecting about every kind of online fraud known to man: money laundering, synthetic drug trade, darknet messaging, phishing and spam," de Groot writes.
Not only are e-commerce stores often vulnerable, those running the stores can be blasé about security.
De Groot's employer, Byte, runs a service called MageReport.com, which scans e-commerce sites using the Magento platform and reports on security problems. Last November, de Groot blogged on Byte's site that he found 3,500 websites that had been hacked, some for as long as six months. He noticed a key difference in those attacks compared to others: The malicious script captured credit card numbers as soon as a shopper types one into a web-based form in a browser.
"Until now, credit card thieves mainly targeted transaction servers, where payment data is generally encrypted and thus hard to extract," he writes. "With this new attack, credit cards are captured before they can be encrypted."