Stories
Slash Boxes
Comments

SoylentNews is people

Crafty Web Skimming Domain Spoofs "https"

posted by Fnord666 on Thursday March 12 2020, @07:42AM   Printer-friendly
from the aich-tee-tee-pee-ess-colon-slash-slash-aich-tee-tee-pee-dot-pee-ess dept.

martyb writes:

Crafty Web Skimming Domain Spoofs "https":

Earlier today, KrebsOnSecurity alerted the 10th largest food distributor in the United States that one of its Web sites had been hacked and retrofitted with code that steals credit card and login data. While such Web site card skimming attacks are not new, this intrusion leveraged a sneaky new domain that hides quite easily in a hacked site's source code: "http[.]ps" (the actual malicious domain does not include the brackets, which are there to keep readers from being able to click on it).

This crafty domain was hidden inside the checkout and login pages for grandwesternsteaks.com, a meat delivery service owned by Cheney Bros. Inc., a major food distributor based in Florida.

[...] A simple search on the malicious domain "http[.]ps" at HTML search service publicwww.com shows this code is present on nearly a dozen other sites, including a music instrument retailer, an herbal pharmacy shop in Europe, and a business in Spain that sells programmable logic controllers — expensive computers and circuit boards designed to control large industrial operations.

The http[.]ps domain is hosted in Russia, and sits on a server with one other malicious domain — autocapital[.]pw. According a Mar. 3 Twitter post by security researcher and blogger Denis Sinegubko, the autocapital domain acts as a collector of data hoovered up by the http[.]ps skimming script.

Jerome Segura over at Malwarebytes recently wrote about a similar attack in which the intruders used http[.]ps to spoof the location of a script that helps improve page load times for sites that rely on Web infrastructure firm Cloudflare.

Don't believe everything you [think you] see!

Original Submission

 
This discussion has been archived. No new comments can be posted.
Crafty Web Skimming Domain Spoofs "https" | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday March 12 2020, @02:50PM (1 child)

    by Anonymous Coward on Thursday March 12 2020, @02:50PM (#970235)

    So this web site has been hacked and malicious code has been inserted via persistent XSS injection of some sort.

    The URI //http.ps//grandwesternsteaks.com doesn't look anything like a typical URI used in script tags, and it seems unlikely the http.ps domain could be confused for the scheme, so I'm not sure how it would pass even casual inspection.

    Of course the attacker probably expects nobody to actually look at the code, which is highly likely to be the case for almost any website (although in this instance, someone did look at it and did find it).

  • (Score: 0) by Anonymous Coward on Friday March 13 2020, @08:06AM

    by Anonymous Coward on Friday March 13 2020, @08:06AM (#970592)

    It's now longer probably not a problem as all of the block lists and every man and his dog blocking that domain at the router
    I wonder if we will get to the point where domains are blocked by everyone for being malicious
    Why are the domain owners not in jail?