As the craze for the latest Off-White, Nike, and Adidas sneakers heats up, sites selling counterfeit kicks have popped up to capitalize on sneakerheads searching for the best deal. To make a bad deal even worse, hackers are now targeting these sites to install malicious Magecart scripts that also steal your credit card information.
When shoppers purchase sneakers off of counterfeit sites, they will find that they didn’t get the sneakers they were expecting, and in some cases, may not get anything at all.
In a new report, Malwarebytes has discovered a large-scale hacking operation that is targeting these counterfeit sneaker sites and infecting them with malicious scripts to steal shopper’s credit cards.
“We recently identified a credit card skimmer injected into hundreds of fraudulent sites selling brand name shoes. Unfortunate shoppers may not only be disappointed with the faux merchandise, but they will also relinquish their personal and financial data to Magecart fraudsters.”
These types of malicious scripts are called Magecart attacks, which is when a hacker compromises an online store so that submitted credit card information is stolen and sent to a remote server operated by the attackers.
These sneaker sites are a bad deal
While indexed in search engines, many of the counterfeit sneaker sites are also promoted through posts to sneaker, streetwear, and fitness forums. These posts are tailored to the subject of the forum and include links back to the store selling the sneakers.
Many of the counterfeit sneaker sites identified by Malwarebytes are still online, so we were able to easily check one of them for Magecart scripts that steal credit card information.
As an example of one of the “deals” that you can receive on these counterfeit sneaker sites, one is selling Off-White Nike Air Force 1 Low sneakers, which normally cost around $2,000, for only $134.
After analyzing all of the sites that were compromised, it became clear to Malwarebytes threat intelligence researcher Jérôme Segura that all of the sites shared something in common.
All of them were running similar templates, using an outdated version of the PHP programming language, using Magento, and were located on a small number of IP address subnets.
Due to this, Malwarebytes thinks an attacker performed a mass scan looking for vulnerable sites, probably ones running Magento or outdated PHP versions, and hit the jackpot with this group of counterfeit sneaker sites.
“I think it’s an automated scanner that happened to crawl those IP ranges and because all sites are pretty much a copy of each other (and all outdated), it had a field day”, Malwarebytes threat intelligence researcher Jérôme Segura told BleepingComputer in a conversation.
If you have recently purchased sneakers at a relatively unknown web site, you may want to check Malwarebytes’ blog to see the full list of compromised stores.
If you have shopped at one of the listed stores, you should contact your credit card company to explain what has happened and continue to monitor your statements for suspicious or fraudulent charges.
Update 12/12/19: Added information on how the sites are promoted.