Credit card skimmers inserted into hundreds of fake sneaker sites

Counterfeit versions Adidas, Nike, Converse and other popular shoe brands advertised on sporting forums

Hundreds of websites selling fake branded shoes were infected with a card-skimming malware that steals credit card information on the checkout

Security researchers uncovered a new phishing campaign that leads users to sites that sell counterfeit versions of branded shoes. The goal of the attackers is to offer users cheap (but fake) shoes from brands like Nike or Adidas and then steal their credit card details, along with other personal information, during the goods purchasing process.

One of the most popular ways of attracting users to counterfeit products sites is by advertising fake shoes as branded ones by offering users cheap prizes on online forums. As expected, many are willing to get a brand new design for a few times smaller price tag than the original. However, disappointment comes very soon.

Malwarebytes Labs researcher Jérôme Segura said in the report:^[1]

We recently identified a credit card skimmer injected into hundreds of fraudulent sites selling brand name shoes. Unfortunate shoppers may not only be disappointed with the faux merchandise, but they will also relinquish their personal and financial data to Magecart fraudsters.

It is not the first time Adidas and other popular shoe brands are being targeted by cybercriminals who offer too-good-to-be-true deals. Hundreds of fake adverts were posted on platforms like Facebook, while in other cases, users were contacted via WhatsApp^[2] or Messenger apps with free shoe offers.

The compromised sites were running an outdated version of PHP and e-commerce platform Magneto

Websites that sell counterfeit shoes from popular brand names are generally unsafe, and it is not only because users might not receive a pair of sneakers hey paid for, but also because of cybersecurity risks. On top of that, the prolific hacker gang Magecart has been compromising hundreds of websites that are legitimate, so abusing fake sites is an even easier task. Previously, Magecart inserted malicious card skimmers into eCommerce sites used by such high-profile companies like airline British Airways, online ticket seller Ticketmaster,^[3], and online retailer NewEgg.

Inserting the obfuscated JavaScript code is relatively easy, and there are very little countermeasures, especially when it comes to cheap sites with almost non-existent protection. Malwarebytes researchers uncovered that hundreds of websites involved in the campaign were running an outdated version of e-commerce platform Magneto (1.9.4.2 and below), along with the PHP language (version 5.6.40 and below) it uses. Malicious actors most likely used a single vulnerability to penetrate hundreds of counterfeit sites and insert the data-gathering skimmer.

Security expert Ameet Naik from Perimeter X explained:^[4]

By compromising just one platform like Magento, they can infect hundreds of sites without much extra effort. In fact, our research shows multiple Magecart attackers operating on some e-commerce sites at the same time.

Fake online stores located in Russia, while stolen customer data was sent to China

One of the analyzed fake stores by Malwarebytes was trainersnmd[.]com under the IP address 91.218.113[.]213, which was hosted in Russia. Researchers managed to pinpoint several other domains linked to it, which were also related to the same illegal business. Nevertheless, many of these were already shut down, and the contents were replaced by seizure notice.

The credit card skimmer that was used in this phishing campaign was called translate.js, and all the information gathered by it (credit card details and billing address) was transferred to a server in China.

Unfortunately, new websites selling fake goods are opening as soon as others are closing, despite the correlating companies filing for complaints and threatening legal actions against such domains, as was done by Adidas in May 2019.^[5]

Users who recently purchased counterfeit shoes from non-official or partner's websites should start monitoring their online banking and also change all their passwords immediately. In the future, experts urge users to be more careful when it comes to online shopping – carefully picking purchase sources and not being tricked by “Black Friday” deals.^[6]