Hundreds of counterfeit online shoe stores injected with credit card skimmer

There’s a well-worn saying in security: “If it’s too good to be true, then it probably isn’t.” This can easily be applied to the myriad of online stores that sell counterfeit goods—and now attract secondary fraud in the form of a credit card skimmer.

Allured by great deals on brand names, many people end up buying products on dubious websites only to find out that what they paid for isn’t what they’re getting.

We recently identified a credit card skimmer injected into hundreds of fraudulent sites selling brand name shoes. Unfortunate shoppers may not only be disappointed with the faux merchandise, but they will also relinquish their personal and financial data to Magecart fraudsters.

Counterfeit shoes by the truckload

Think of the web as a never-ending whack-a-mole war between brands, security teams, and fraudsters—as legitimate companies work with security to take down one counterfeit site, another soon pops up.

One way fraudulent sites receive traffic is via forum spam. Crooks troll sporting and fitness forums and leave messages to entice users to visit the fake store:

forum spam

Here’s that same counterfeit site selling Adidas, Nike, and other big brand name sneakers:

fake site

trainersnmd[.]com is hosted in Russia at 91.218.113[.]213. Looking at the 91.218.113.0/24 subnet, we can see many more domains used in the same counterfeit business.

Some of those domains were taken over and replaced with a serving notice. For example in May 2019, Adidas filed a complaint for injunctive relief and damages against hundreds of fake Adidas stores.

complaint

Mass credit card skimmer injection

The skimming code was appended to a JavaScript file called translate.js. (A full copy of the deobfuscated skimmer can be found here.)

skimmer adidas

Stolen data, including billing addresses and credit card numbers, is exfiltrated to a server in China at 103.139.113[.]34.

skim

What’s interesting is that this is actually a massive compromise across several IP subnets:

partial list

A cursory look at several domains using Sucuri’s SiteCheck revealed they are using the same outdated software:

  • Magento under 1.9.4.2
  • PHP under 5.6.40

It’s likely a malicious scanner simply crawled those IP ranges and used the same vulnerability to compromise each and every one of those counterfeit sites.

Online shopping and its risks

Shopping online these days is akin to walking into a minefield, yet many people aren’t aware of the dangers lurking behind every corner.

Based on our crawlers, we see new e-commerce sites fall victim to web skimmers every day. Looking at our telemetry, we can also correlate the number of web blocks to shopping patterns, such as Black Friday and Cyber Monday events.

As we saw in this post, counterfeit sites pose a double threat, not only from obtaining illicit goods but also getting robbed of data by a different group of criminals.

While we cannot completely eliminate the threat of digital skimmers, here are some tips on how to reduce the risks associated with online shopping:

  • Make sure that your computer is malware-free and running the latest patches. Leverage a security product that offers web protection. Malwarebytes’ flagship anti-malware product, as well as its newly introduced (and free) Browser Guard extension for Chrome and Firefox can thwart Magecart-related skimmers by blocking malicious scripts and websites from loading, as well as exfiltrating, data.
  • If you are shopping on a site for the first time, check that it looks maintained. While this does not replace a thorough security scan, seeing notes such as “Copyright 2015” may indicate that the website is not really being looked after.
  • Minimize how often you enter your credit card data by relying on other payment methods instead. For example, large reliable online retailers, such as Amazon already have your payment details archived into your account. Other safe methods include Apply Pay or prepaid Visa or Mastercards.
  • Check your bank/credit card statements regularly to identify potentially fraudulent charges.
  • Help prevent further attacks by reporting any fraudulent activity (especially if you were victim) to law enforcement authorities.

Indicators of Compromise (IOCs)

Counterfeit sites injected with skimmer

180workshoe[.]com
1freshfoot[.]com
2018nmd4u[.]com
234learnshoe[.]com
270takeshoe[.]com
365daysshoe[.]com
5923shoe[.]com
97saleweekly[.]com
987lateshoe[.]com
adsmithfwt[.]com
acheterftwr[.]com
addrubber[.]com
airmaxweekly[.]com
allsizeshoe[.]com
adnkclub[.]com
ashshoeslink[.]com
apparentshoe[.]com
auflaufschuh[.]com
utgumnshoes[.]com
awsnkrs[.]com
bajasprecio[.]com
basketouve[.]com
bestkixify[.]com
beastsole[.]com
best7now[.]com
bestshoesbf[.]com
blanchenmd[.]com
blazersoldes[.]com
boostrunner[.]com
boutiquesnks[.]com
brandingsit[.]com
breakerun[.]com
cageforlock[.]com
cestboncony[.]com
caretosole[.]com
champrun95[.]com
chaussureplace[.]com
cisalfaports[.]com
chamdot[.]com
chaussureprofile[.]com
colourmvp[.]com
compraestilos[.]com
closerpremium[.]com
closerselect[.]com
continuefeet[.]com
comfyftwr[.]com
cusmakeit[.]com
couleurmvp[.]com
courtadv[.]com
damesbedoor[.]com
ddtows[.]com
deeruptshoe[.]com
descubra19[.]com
docvab[.]com
donnescontate[.]com
dividesneakers[.]com
donectory[.]com
dryyourfoot[.]com
easeweekly[.]com
easyfootrun[.]com
energeticshoe[.]com
elementsthat[.]com
entryonlike[.]com
eternalapt[.]com
evidentshoe[.]com
febdate[.]com
farbasefull[.]com
farbenrun[.]com
farvefit[.]com
fleunderride[.]com
fewusedit[.]com
footbester[.]com
footrunclub[.]com
footsweek[.]com
footstijl[.]com
footstil[.]com
footstylish[.]com
foreasyon[.]com
for1sell[.]com
freernshoe[.]com
futureitblue[.]com
futureoiwill[.]com
futurenishoes[.]com
futureyouto[.]com
gelbneu[.]com
geschenkein[.]com
getgshoes[.]com
getbetternl[.]com
goldsoldes[.]com
grauwearim[.]com
grijsentop[.]com
goingtopurchase[.]com
grigiotopsu[.]com
greyheel[.]com
gsnkrs[.]com
guldafdk[.]com
headrebajas[.]com
hererunner[.]com

hjrshoe[.]com
inikirun[.]us
iweardam[.]com
jtsportsde[.]com
justshopclub[.]com
kaiisko[.]com
kaufenftwr[.]com
kaischuhe[.]com
kickfrstore[.]com
kickscrewstore[.]com
kickstienda[.]com
kickvapor[.]com
kickswinkel[.]com
kixifyshop[.]com
kixifyrun[.]com
kixifystore[.]com
kleurmvp[.]com
kleurschuhe[.]com
laufschuhebeste[.]com
linrubsole[.]com
lobeskoruns[.]com
lony19[.]com
lowesthalf[.]com
luckyisport[.]com
maxformob[.]com
manifestshoe[.]com
maximummost[.]com
metyshoes[.]com
mjftoods[.]com
mindedshoe[.]com
monitornon[.]com
msnkrs[.]com
nairschoenen[.]com
nairchaussure[.]com
nairscarpe[.]com
nairschuhe[.]com
nettstil[.]com
netwhilesale[.]com
newseftwr[.]com
newfeetreal[.]com
newmaxreal[.]com
newshoesreal[.]com
newstylereal[.]com
newwholereal[.]com
nicestijl[.]com
nicestil[.]com
nieuwekaufe[.]com
nicestilebay[.]com
nicestylebay[.]com
niceventefr[.]com
nmdforfemme[.]com
nmdrosare[.]com
nieuwekaufen[.]com
nmd5club[.]com
nmdnoir[.]com
nmdpksneaker4u[.]com
nmdoriginals[.]com
nmdreplace4u[.]com
nmdtrainers[.]com
noticeableshoes[.]com
noteystore[.]com
nuevorunning[.]com
nrdunkzpa[.]com
nrunnersale[.]com
nouveauhaven[.]com
nuevoshoe[.]com
nuovehaven[.]com
obviousshoe[.]com
offwschuhe[.]com
oplev19[.]com
oroshoesit[.]com
ordinarytrend[.]com
oroboostpas[.]com
outlet3prix[.]com
outletsfire[.]com
particleprovide[.]com
paschernoir[.]com
perpetuallook[.]com
pearlshoeslink[.]com
perpetualfree[.]com
phlshoe[.]com
pickonsneakers[.]com
pinkshoeslink[.]com
ponashoes[.]com
porsneakers[.]com
premiumnuevo[.]com
poshseeking[.]com
profilesshoe[.]com
prophereshoe[.]com
psbeautytre[.]com
racersho[.]com
runnerfr[.]com
ozemetoen[.]com
rosakopen[.]com
run4kick[.]com
rubberplat[.]com
runnerdry[.]com
runstormon[.]com

saledksko[.]com
saldifire[.]com
sarezalando[.]com
scarpekingdom[.]com
scarpe-new[.]com
scarpastate[.]com
schoenenbeste[.]com
schoenenprofile[.]com
schuherunlau[.]com
schuhesize[.]com
schuhneu[.]com
schuheplace[.]com
schuheprofile[.]com
scopri19[.]com
showam97[.]com
shoehallrun[.]com
sizehaven[.]com
showschuh[.]com
skorunvit[.]com
sjjshoe[.]com
skoprofile[.]com
skonmd[.]com
snadnket[.]com
sneakerbyside[.]com
sneakerebe[.]com
sneakerees[.]com
sneakermodelli[.]com
sneakerunow[.]com
snkrsstrike[.]com
snugfree[.]com
snstuff[.]us
sortheads[.]com
sort5sko[.]com
sportkopen[.]com
sportinghave[.]com
sportopwears[.]com
sports-be[.]com
sportsalebay[.]com
sportsneu[.]com
sportsonfr[.]com
sports-ha[.]com
stayonlinese[.]com
sprishoes[.]com
startingnice[.]com
streetcolouring[.]com
stripeschuhe[.]com
stuffnuevo[.]com
stuffkicks[.]com
stuffkopen[.]com
stuffoutfr[.]com
stuffpknit[.]com
styleftwr[.]com
stvprxsko[.]com
styleschoen[.]com
styleschuh[.]com
stylezapato[.]com
suitableshoe[.]com
swzoomsch[.]com
texmedever[.]com
tehshoes[.]com
takerightback[.]com
tedschuhe[.]com
thegodwillout[.]com
thxshoe[.]com
tiendaout[.]com
tosomtosideaway[.]com
trainernmdcbk[.]com
trainersnmd[.]com
tstripeseqt[.]com
uomoweekly[.]com
usesmoother[.]com
usualshares[.]com
valuablemax[.]com
vertchausfr[.]com
verstaleshoes[.]com
vtfreencs[.]com
vvvfabrices[.]com
walkingnice[.]com
wearingselect[.]com
willgoout[.]com
willrunalong[.]com
willrunout[.]com
willhiking[.]com
winatershoes[.]com
wmboost[.]com
withnormal[.]com
willtrval[.]com
witroze[.]com
wmsnkrs[.]com
wsnkrs[.]com
zapatosnmd[.]com
zwtnlzsen[.]com

Skimmer

103.139.113[.]34

The post Hundreds of counterfeit online shoe stores injected with credit card skimmer appeared first on Malwarebytes Labs.

Original Source