Jump to content
MrPhil

credit card skimmers (in JS)

Recommended Posts

An interesting (and concerning) article: https://arstechnica.com/information-technology/2019/03/a-new-rash-of-highly-covert-card-skimming-malware-infects-ecommerce-sites/?comments=1 . It seems there are ways to inject encoded Javascript credit card skimmers into shops (Magento, so far, has been hit hard). One of the comments brought up Content Security Policies to control where Javascript comes from on your site.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Since tha fall of the Bitcoin those criminals are running out of money..... 🙂 I am glad my shop does not use CC, however I searched for the string metioned in the article: not found.

Thanks for mentioning @MrPhil


Not too experienced, but very willing to learn.

Share this post


Link to post
Share on other sites
Posted (edited)

Hey PHil, thanks for this article!  I actually shop at one of the six they say is still infected although I haven't in a while.  cajungrocer.com sells as you would guess, Cajun food and ship nationwide.  Actually, they had an OSC based site at first then switched to a slow ass Magento several years ago.

 

Edited by John W

I'm not really a dog.

Share this post


Link to post
Share on other sites

I've seen some Magento sites that are set up better and not so slow, but more ofthen than not, they are slow.  I try to make my site as fast as I can.  I also try to make my site secure.  Actually, your post got me going on running different security scans on my site and I impremented a few changes to improve security.  At the same time, I spent some time scanning cajungrocer.com and they are not very good for security.  Problem is I like many of the items they sell, but they have a lot of room to improve.

Here's a couple of the additions I made to my .htaccess today.

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

A while back I added this

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

I also set secure cookie and some other settings. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

Indeed, the bastards never do :( .

Let me take the opportunity to clarify that this is not the same thing as "credit card skimmers" found attached to physical ATMs, gasoline pumps, etc. (things that take credit and debit cards). They read and record magnetic stripe data, and usually there is a small camera nearby to record you entering the PIN. New cards can be created with this data and used to suck dry your account. Always keep an eye open for loose or mismatched parts where you stick your card in, and try to conceal your use of the keypad (get up close to it, possibly shield it from your hand -- you never know where the camera is). Signs directing you to use a specific gas pump, etc. are another tip-off. Report suspicious setups to the store manager or the police. Enjoy Spring and stay safe!


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×