Thousands of customers believed to have had their details stolen
The website for popular sportswear brand Fila has reportedly been compromised by card-skimming code that could have affected up to 5,600 customers.
A JavaScript Sniffer dubbed ‘GMO’ has been active on the Fila UK website since November 2018, a new report from cybersecurity firm Group-IB claims.
The malicious code was designed to steal customers’ personal data including payment card details, names, and passwords.
The JS Sniffer code is similar, but different, to that used in Magecart attacks – a notorious payment data-stealing technique that has so far been used to compromise websites including Ticketmaster, British Airways, and Vision Express, to name just a few.
“BA and Ticketmaster were infected with the same type of malware – JS Sniffers,” Nicholas Palmer, vice president of international business at Group-IB told The Daily Swig.
“However, BA and Ticketmaster were attacked by another group using different JS Sniffer. But the purpose of the attack is the same in all cases – all types of JS Sniffers are designed to steal customers’ payment data.”
He added: “There are many more cybercriminal groups using distinct families of JS Sniffers capable of targeting online stores.
“In some cases, it is difficult to determine how many people use a particular sniffer. Every family of JS Sniffers has unique characteristics: multipurpose and specific, designed to target particular content management systems.”
GMO can detect Firebug and Google developer tools, Palmer said, which allows it to remain largely undetected. Criminal groups making use of this technique have been active since May 2018, he added.
The exploit, which targets online stores that are built on the Magento e-commerce platform, has also infected other websites with a combined 350,000 unique monthly visitors.
These sites include cosmetics store absolutenewyork.com and home design website jungleeny.com.
Group-IB said it detected GMO on Fila’s website in March 2019 and has made multiple attempts to contact the company.
After Group-IB went public with its findings, Fila reportedly removed the code from its website within hours.
Palmer added: “We recommend e-commerce websites to take seriously their security and security of their customers. [Site administrators should] use strong, unique passwords and change them regularly.
“Install all necessary updates for the software, including CMS. This will complicate the process of loading the web shell for the attacker. Carry out regular inspections and safety audits of the website and do not hesitate to seek assistance from specialists.”
Offering further mitigation advice for sites, Palmer said: “Use the appropriate systems to log all changes that occur on the site, as well as log access to the site control panel, and track file change dates.
“This will help to detect infection of site files with malicious code, as well as the fact of unauthorized access to the site or web server.”
The Daily Swig has reached out to Fila UK for comment and will update this article accordingly.
