Sansec Profile picture
Jan 25 4 tweets 1 min read
More than 350 ecommerce stores infected with malware in a single day.

Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.
Another batch got hacked last night, bringing the total to 461 compromised stores. Image
The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form. Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php #masshack
And counting 499 stores today, so new victims are still being added.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Sansec

Sansec Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @sansecio

Sep 14, 2020
UPDATE Nearly 2000 Magento stores got hacked over the weekend, which is - by far - the largest automated campaign to date. Malware loader: mcdnn[.]net. Exfil: imags[.]pw

sansec.io/research/large… Image
Possibly linked to a Magento 1 0day exploit that was put up for sale for $5000 a few weeks ago Image
Malware was injected using US IP 92.242.62[.]210. They used the Magento Connect feature to install code, including a file called "mysql.php", which was called and immediately removed.
Read 8 tweets
Jan 25, 2020
Indonesian police arrests 3 Magecart hackers who ran skimming operation since 2017. They recently registered "magecart[.]net" for payment interception. sansec.io/labs/2020/01/2… Image
One suspect admitted on live television that he had injected payment skimmers on foreign stores since 2017. He claimed to have earned enough money "to buy a jacket". Image
Police reports 12 cases, but Sanguine identified 571 hacks with this groups modus operandi since 2017. They could be identified because of an odd debug message "Success gan!" (success bro) upon successful payment interception. Image
Read 8 tweets
Jan 23, 2020
Skimmers write actual spaghetti code... In an unexpected plot twist, card-stealing malware was disguised as Italian cuisine. #magecart #webskimmer 1/3 Image
Normally criminals go out of their way to hide their work, but this pasta fan didn't seem to care. Also, the card collection server is pizdasniff[.]site, which is proper Russian for "pussyskimmer". 2/3
Despite its glaring presence, the skimmer has been injected in numerous sites since Dec 12th and most are still active. We have reached out to all affected merchants.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(