Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 10 submissions in the queue.

Crafty Web Skimming Domain Spoofs "https"

posted by Fnord666 on Thursday March 12 2020, @07:42AM   Printer-friendly
from the aich-tee-tee-pee-ess-colon-slash-slash-aich-tee-tee-pee-dot-pee-ess dept.

martyb writes:

Crafty Web Skimming Domain Spoofs "https":

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site's source code: "http[.]ps" (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida.

[...] A simple search on the malicious domain "http[.]ps" at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.

The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.

Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.

Don't believe everything you [think you] see!

Original Submission

 
This discussion has been archived. No new comments can be posted.
Crafty Web Skimming Domain Spoofs "https" | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 3, Insightful) by Anonymous Coward on Thursday March 12 2020, @08:06AM

    by Anonymous Coward on Thursday March 12 2020, @08:06AM (#970147)

    Perhaps Chrome devs will keep hacking the urlbar against these attacks.
    OR
    Should the full URL. Like it is in the technical specification.

  • (Score: 0) by Anonymous Coward on Thursday March 12 2020, @02:25PM (4 children)

    by Anonymous Coward on Thursday March 12 2020, @02:25PM (#970225)

    Is it actually this: "http[.]ps" (brackets removed)?
    Because it seems like this: "http[.]s" would be a better visual spoof.

    • (Score: 2, Informative) by throckmorten on Thursday March 12 2020, @03:04PM (1 child)

      by throckmorten (3380) on Thursday March 12 2020, @03:04PM (#970243) Homepage

      .S isn't a valid CCTLD, .PS is

      • (Score: 3, Interesting) by maxwell demon on Thursday March 12 2020, @04:16PM

        by maxwell demon (1608) on Thursday March 12 2020, @04:16PM (#970273) Journal

        But htt[.]ps would also be closer than http[.]ps, while still being a valid domain name.

        --
        The Tao of math: The numbers you can count are not the real numbers.

    • (Score: 0) by Anonymous Coward on Thursday March 12 2020, @06:06PM (1 child)

      by Anonymous Coward on Thursday March 12 2020, @06:06PM (#970322)

      I guess they make it look similar to https but change it slightly so most people think it says https?

      Browsers are supposed to have that little locked symbol showing if the certificates are all authenticated correctly. I imagine that the little lock wouldn't show up if it wasn't so, unless the browsers have poor security and need to be fixed and updated accordingly, so if someone did think it was an https domain when in fact it wasn't they should be able to see that the lock isn't present.

      • (Score: 0) by Anonymous Coward on Friday March 13 2020, @06:59AM

        by Anonymous Coward on Friday March 13 2020, @06:59AM (#970582)

        Wow. You're right. There's a green lock symbol on the url bar to the left of https
        The nice thing about standards is that we have so many of them.

  • (Score: 0) by Anonymous Coward on Thursday March 12 2020, @02:50PM (1 child)

    by Anonymous Coward on Thursday March 12 2020, @02:50PM (#970235)

    So this web site has been hacked and malicious code has been inserted via persistent XSS injection of some sort.

    The URI //http.ps//grandwesternsteaks.com doesn't look anything like a typical URI used in script tags, and it seems unlikely the http.ps domain could be confused for the scheme, so I'm not sure how it would pass even casual inspection.

    Of course the attacker probably expects nobody to actually look at the code, which is highly likely to be the case for almost any website (although in this instance, someone did look at it and did find it).

    • (Score: 0) by Anonymous Coward on Friday March 13 2020, @08:06AM

      by Anonymous Coward on Friday March 13 2020, @08:06AM (#970592)

      It's now longer probably not a problem as all of the block lists and every man and his dog blocking that domain at the router
      I wonder if we will get to the point where domains are blocked by everyone for being malicious
      Why are the domain owners not in jail?

(1)