Hundreds of Counterfeit Sneaker Sites Hacked to Steal Credit Cards


As the craze for the latest Off-White, Nike, and Adidas sneakers heats up, sites selling counterfeit kicks have popped up to capitalize on sneakerheads searching for the best deal. To make a bad deal even worse, hackers are now targeting these sites to install malicious Magecart scripts that also steal your credit card information.

When shoppers purchase sneakers off of counterfeit sites, they will find that they didn’t get the sneakers they were expecting, and in some cases, may not get anything at all.

In a new report, Malwarebytes has discovered a large-scale hacking operation that is targeting these counterfeit sneaker sites and infecting them with malicious scripts to steal shopper’s credit cards.

“We recently identified a credit card skimmer injected into hundreds of fraudulent sites selling brand name shoes. Unfortunate shoppers may not only be disappointed with the faux merchandise, but they will also relinquish their personal and financial data to Magecart fraudsters.”

These types of malicious scripts are called Magecart attacks, which is when a hacker compromises an online store so that submitted credit card information is stolen and sent to a remote server operated by the attackers.

These sneaker sites are a bad deal

While indexed in search engines, many of the counterfeit sneaker sites are also promoted through posts to sneaker, streetwear, and fitness forums. These posts are tailored to the subject of the forum and include links back to the store selling the sneakers.

Forum post promoting sneaker site
Forum post promoting sneaker site

Many of the counterfeit sneaker sites identified by Malwarebytes are still online, so we were able to easily check one of them for Magecart scripts that steal credit card information.

As an example of one of the “deals” that you can receive on these counterfeit sneaker sites, one is selling Off-White Nike Air Force 1 Low sneakers, which normally cost around $2,000, for only $134. 

Counterfeit Sneaker Store
Counterfeit Sneaker Store

According to Malwarebytes, the hackers are injecting a malicious script named translate.js into these sneaker sites. After checking the source code for the site’s checkout page, a JavaScript file named /js/mage/translate.js was seen as shown below.

Injected translate.js script
Injected translate.js script

Af first glance, this script appears to belong to the Magento eCommerce platform that is used to create the counterfeit sneaker sites. If you look closely, though, you can see that obfuscated JavaScript was added to the bottom of the Magento script.

Obfuscated Magecart script
Obfuscated Magecart script

After running the JavaScript through a JS beautifier, we can see that the script is collecting submitted credit card information entered by the shopper and then sending it to a site located at This stolen credit card information can then be collected later by the attackers.

Partially deobfuscated Magecart script

After analyzing all of the sites that were compromised, it became clear to Malwarebytes threat intelligence researcher Jérôme Segura that all of the sites shared something in common.

All of them were running similar templates, using an outdated version of the PHP programming language, using Magento, and were located on a small number of IP address subnets.

Partial list of infected sites
A partial list of infected sites

Due to this, Malwarebytes thinks an attacker performed a mass scan looking for vulnerable sites, probably ones running Magento or outdated PHP versions, and hit the jackpot with this group of counterfeit sneaker sites.

“I think it’s an automated scanner that happened to crawl those IP ranges and because all sites are pretty much a copy of each other (and all outdated), it had a field day”, Malwarebytes threat intelligence researcher Jérôme Segura told BleepingComputer in a conversation.

If you have recently purchased sneakers at a relatively unknown web site, you may want to check Malwarebytes’ blog to see the full list of compromised stores.

If you have shopped at one of the listed stores, you should contact your credit card company to explain what has happened and continue to monitor your statements for suspicious or fraudulent charges.

Update 12/12/19: Added information on how the sites are promoted.

Source link


Leave a Reply

Your email address will not be published. Required fields are marked *