GOP Website Among Thousands Hit by Malware

Anti-Malware , Fraud , Payments Fraud

Sites Have One Feature in Common: Software Vulnerabilities GOP Website Among Thousands Hit by MalwareItems for sale from the National Republican Senatorial Committee's online store.

If you bought a reproduction vintage Reagan-Bush '84 T-shirt earlier this year from a group that raises funds to support Republican Senate candidates, you may want to double-check your credit card statements.

See Also: Key Cybercrime Trends in 2016

Willem de Groot, a product developer with the Dutch hosting company Byte, found that credit card data from the National Republican Senatorial Committee's online store was siphoned and shipped to a server in Russia. The NRSC's website was just one of 5,900 sites hit by the attacks. Many have now been patched.

E-commerce websites are secure only if they're diligently patched. Attackers often hunt for online stores running popular e-commerce platforms such as Magento, hoping to catch outdated software versions that are vulnerable.

The NRSC fixed its website about two days after de Groot published a blog post. But attackers had been harvesting credit card data between March 16 through Oct. 5 - a long exposure window that means many shoppers could have been hit, de Groot says.

De Groot writes that it's difficult to estimate the number of victims, but the NRSC's store had been receiving 350,000 visits per month. If only 1 percent of those visitors actually purchased something, he estimates that 21,000 card details could have been stolen since March.

"Black market value per card is between $4 and $120, so I assume a modest $30 per card," de Groot writes. "The villains could have made roughly $600K on this store alone."

It's important to note that what de Groot detected doesn't appear to have been specifically intended to cause problems for Republicans along the lines of the hacking woes that the Democratic Party has experienced over the last several months. Rather, the motivation here would appear to be purely financial (see Leaked DNC Emails Show Lax Cybersecurity).

Straight to Russia

The malware installed on the NRSC's site essentially "skims" payment card details. The term is usually applied to physical devices attached to ATMs or payment terminals that copy payment card information encoded on a card's magnetic stripe.

"Once a store is under control of a perpetrator, a (JavaScript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia)," de Groot writes in a subsequent blog post.

De Groot posted 17 samples of card-skimming JavaScript that he's collected on GitHub. His analysis shows that the malware developers have taken steps to obfuscate the code, meaning it takes programmers "a fair bit of time" to reverse engineer. When such code is planted on a website, it is hard to detect and nearly impossible to trace the thieves, he writes.

He found that in one case, the developers had appended "UPS delivery code START" and "UPS delivery code END" to a chunk of malicious JavaScript in an attempt to deflect cursory investigations of the code.

In the case of the NRSC, the card data was sent to two domains that are hosted by a company called Dataflow, which has a Russian-language website, but is registered in Belize, de Groot writes. Dataflow is a tiny operation, with just two IP blocks consisting of 512 IP addresses. Other services hosted on Dataflow don't appear to be very reputable.

"Its owners deserve praise for collecting about every kind of online fraud known to man: money laundering, synthetic drug trade, darknet messaging, phishing and spam," de Groot writes.

Soft targets

Not only are e-commerce stores often vulnerable, those running the stores can be blasé about security.

De Groot writes that he manually reported some compromises to merchants. Their responses unfortunately indicate a fundamental misunderstanding of the problems. One merchant wrote: "Thanks for your suggestion, but our shop is totally safe. There is just an annoying JavaScript error." Another wrote: "Our shop is safe because we use https."

De Groot's employer, Byte, runs a service called MageReport.com, which scans e-commerce sites using the Magento platform and reports on security problems. Last November, de Groot blogged on Byte's site that he found 3,500 websites that had been hacked, some for as long as six months. He noticed a key difference in those attacks compared to others: The malicious script captured credit card numbers as soon as a shopper types one into a web-based form in a browser.

"Until now, credit card thieves mainly targeted transaction servers, where payment data is generally encrypted and thus hard to extract," he writes. "With this new attack, credit cards are captured before they can be encrypted."

All of the vulnerable sites it found either had outdated versions of Magento or had not applied other security mitigations. But the attack isn't Magento-specific. The vulnerable shops that Byte detected happened to be running Magento, but the JavaScript code could run on any site and accomplish the same end, de Groot writes.