Jump to content
Latest News: (loading..)
MrPhil

credit card skimmers (in JS)

Recommended Posts

An interesting (and concerning) article: https://arstechnica.com/information-technology/2019/03/a-new-rash-of-highly-covert-card-skimming-malware-infects-ecommerce-sites/?comments=1 . It seems there are ways to inject encoded Javascript credit card skimmers into shops (Magento, so far, has been hit hard). One of the comments brought up Content Security Policies to control where Javascript comes from on your site.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozen or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Since tha fall of the Bitcoin those criminals are running out of money..... 🙂 I am glad my shop does not use CC, however I searched for the string metioned in the article: not found.

Thanks for mentioning @MrPhil


Not too experienced, but very willing to learn.

Share this post


Link to post
Share on other sites

Hey PHil, thanks for this article!  I actually shop at one of the six they say is still infected although I haven't in a while.  cajungrocer.com sells as you would guess, Cajun food and ship nationwide.  Actually, they had an OSC based site at first then switched to a slow ass Magento several years ago.

 

Edited by John W

I'm not really a dog.

Share this post


Link to post
Share on other sites

I've seen some Magento sites that are set up better and not so slow, but more ofthen than not, they are slow.  I try to make my site as fast as I can.  I also try to make my site secure.  Actually, your post got me going on running different security scans on my site and I impremented a few changes to improve security.  At the same time, I spent some time scanning cajungrocer.com and they are not very good for security.  Problem is I like many of the items they sell, but they have a lot of room to improve.

Here's a couple of the additions I made to my .htaccess today.

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

A while back I added this

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

I also set secure cookie and some other settings. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×