5900 online stores found skimming [analysis]

Last week I showed how the Senate Republicans were skimmed for 6 months (and then it was quietly fixed). But this is just one example of thousands of stores that have been compromised and are still being skimmed.

real skimming

How it works

Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.

In short: hackers gain access to a store’s source code using various unpatched software flaws. Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card .

Online skimming gains popularity

Online skimming is a new form of card fraud. In November 2015, the first case was reported. Upon investigating, I scanned a sample of 255K online stores globally and found 3501 stores to be skimmed. It is now ten months later. Are the culprits in jail yet? Not quite, here are the numbers of compromised stores:

November 20153501 
March 20164476+28%
September 20165925+69%

Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).

754 stores who are skimming today, were already skimming in 2015. Apparently you can skim cards undisturbed for months.

Culprits get professional

In 2015, reported malware cases were all minor variations of the same code base. In March 2016, another malware variety was discovered (report in Dutch). Today, at least 9 varieties and 3 distinct malware families can be identified (see my collection of samples). This suggests that multiple persons or groups are involved.

One reason that many hacks go unnoticed is the amount of effort spent on obfuscating the malware code. Earlier malware cases contained pretty readable Javascript but in the last scan more sophisticated versions were discovered. Some malware uses multi-layer obfuscation, which would take a programmer a fair bit of time to reverse engineer. Add to this that most obfuscation includes some level of randomness, which makes it difficult to implement static filtering.

To trick the casual observer, the malware has sometimes been disguised as UPS code:

ups disguise

Another sign of malware sophistication is the maturity of the payment detection algorithm. The first malware just intercepted pages that had checkout in the URL. Newer versions also check for popular payment plugins such as Firecheckout, Onestepcheckout and Paypal.

Replies from worried merchants

I have manually reported several compromised shops and got some curious responses:

We don’t care, our payments are handled by a 3rd party payment provider

If someone can inject Javascript into your site, your database is most likely also hacked.

Thanks for your suggestion, but our shop is totally safe. There is just an annoying javascript error.

Or, even better:

Our shop is safe because we use https


New cases could be stopped right away if store owners would upgrade their software regularly. But this is costly and most merchants don’t bother.

Besides, that would not repair the current hausse of abuse. While stores could be contacted on an individual basis, it is a lot of work and nobody does it. Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants. But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation. I have submitted all my malware samples to Google’s Safe Browsing team but only a small part of the detected malware has been blocked so far.


Are you a merchant?

If your store is compromised (check MageReport), find a competent programmer or development agency and send them here: how to recover a hacked store. In some jurisdictions you might have to report these security breaches to the government (see law in The Netherlands or United States).

Read more:

Senate Republicans were skimmed for six months, quietly fix store

Did you order anything from the Senate Republicans in the last half year? In that case, your name and credit card details have been skimmed and sent to a Russian server. And subsequently sold on the dark web for $30.

Update Oct 6th: The Republicans have rushed to secure their store today. But no word about the skimming between March 16th and October 5th.

See a short video where I demonstrate how the skimming works. And read on to find out how I traced the culprits to a hornet’s nest of criminal activity.

I think I’ll pass on the Never Hillary sticker for now.

The crime scene

So our evidence consists of one compromised Republican store, which was fitted with hidden skimming software at least 6 months ago (dissection of the malware here). And we have two Russian credit card harvesters with the rather boring names jquery-cloud.net (March) and jquery-code.su (October).

Follow the money

The older harvester jquery-cloud.net was registered in December 2015 by an American lady with a Chinese fax number and a fake email address. The newer harvester, jquery-code.su, is registered anonymously per 24th of August.

Both domain names are hosted by a company called Dataflow, as is shown by the nameservers and IP addresses. Curiously, the Dataflow network and the jquery-cloud.net domain name were created in the same week:

descr:          DDoS Protected Network DATAFLOW.SU
origin:         AS203624
mnt-by:         MNT-DATAFLOWSU
created:        2015-12-28T22:37:25Z

A hornet’s nest

Dataflow has a Russian language website but is registered in Belize on November 3rd, 2015. It advertises with:

Offshore […] Solutions with protection from DDoS to 350 Gbit : Belize, Panama, Seychelles

Its office is registered here:

This address shows up in the Panama Papers and is - coincidentally - also the home of a trust office called Alpha Offshore, who

is an international provider of legal corporate tax planning services. Mainly, we focus on registering companies in countries that use preferential taxation policies and in offshore jurisdictions

Dataflow has a very small network of just 2 blocks (512 IPs) and you can look up what else runs on that network. Its owners deserve praise for collecting about every kind of online fraud known to man: money laundering, synthetic drug trade, darknet messaging, phishing and spam.

Estimated black market yield

Money Power Respect

I do not know how many credit cards were stolen from the Republican store but I can make an educated guess. According to TrafficEstimates, the Republican store has received some 350K visits per month lately. A conservative conversion ratio of 1% yields 3500 stolen credit cards per month, or 21K stolen credits cards since March. Black market value per card is between $4 and $120, so I assume a modest $30 per card. The villains could have made roughly $600K on this store alone.

Note, this is just the criminal yield. The monetary loss for society is higher, as credit card companies reimburse their clients for fraudulent deductions (actual deductions are much higher than the black market value!) and conduct investigations. They shift these fraud handling costs to their clients, so that merchants pay a higher transaction fee and, in turn, shift this to their customer (you).


This clever form of card skimming has been going for a while, at least since March. The culprits are hiding behind an shelf company in Belize. Their business is growing rapidly, which I will illustrate in a next post.

Economics and culture of credit card laundering.

Donald Trump’s view on cyber security.

A peek in the dark world of credit card laundering

Carders Market The world of card laundering is both alienating and oddly human.

I assumed that credit card fraud was big, but I only experienced how big after I stumbled upon this black market. Or rather, the public tentacles of a hairy underground scene. Which strangely enough has much of the dynamics of a regular market for, say, cattle.

Carder economics 101

This is how it generally works. Cards get stolen physically (“skimmed”) or online. In the latter case, there is either a breach of data: hackers steal a badly encrypted card database. Famous cases: Target, Home Depot, Adobe.

Another class is breach of process: hackers inject themselves somewhere in the payment process to digitally “skim” the payment data. No need for decryption, but stealth is required, as collecting credit cards takes time.

After the theft, the cards have to be sold quickly while they are still “fresh”. The value of stolen cards deteriorates as the chances of discovery increase.

To connect buyers and sellers, hundreds of sites exist, ranging from basic forums to sophisticated reputation-based markets. Have a go and Google for “cvv market”. And this is probably only the tip of the iceberg, as the biggest markets are rumoured to be hidden behind tor proxies (aka the “dark web”).

high limit cards

Interestingly, these exchanges have all the properties of a mature market.

First, a standardized lingua franca exists to conduct business. You gotta know the difference between Dumps and Fullz. See glossary below.

Pricing is very transparent and somewhat stabilized, with a German card going for $15 but a Visa Black Card will cost you $120.

All sorts of peripheral services swarm the traders, such as escrow services, high-volume card verification services and anonymized messaging.

Supporting technology has been standardized. Vendors demand payment in Bitcoins or Western Union. All sites run on the network of DDoS-protection provider Cloudflare, which hides the owner’s identity and protects against attacks from agitated competitors. (Some people protested that Cloudflare doesn’t do shit about this.)

Carding culture & cognitive dissonance

These trading sites offer a quaint view of the carding culture. As is to be expected, these market places are made up of grotesque pictures of money and weapons. Its (probably adolescent) members name themselves after famous mafia bosses.

Money, Power, Respect

However, the dynamics of the market resemble that of the ordinary world. It is almost as if people are trading second hand kitchen appliances. Ironically, sellers of stolen goods vow to be trusted:

We are verified on various well known underground/carding forums. So when you deal with Gold Bank Cards you are 100% safe.

Traders vie for the best service, such as “customer support” and “quick replacements” on their stolen wares:

High Balance Dumps are guaranteed to handle swipes of $2k-$3k per time. Any High Balance card which fails to authorize for this range will be replaced

replacement policy

Trader TuxedoJesus gives an interesting insight in the psyche of a fraudster. Apparently the local expert, he humbly apologizes for his busy family life before lecturing his followers on the tricks of the trade:

Sometime it takes me until 48 hours because I also have a family and I also work. [..] remember that the information I give you is for educational purpose only!!!

Somewhere in this ocean of zeroes and ones, the emotional connection between trade and theft was severely lost.


Some basic fraudster vocabulary to make sense of this mess:

Carder: Somebody who sells or buys stolen credit cards

CVV: The actual details of a card which can be used for online purchases: the 16-digit code, name, expiry date etc. Not to be confused with the 3 digit verification code which is called “cvv2”.

Fullz: CVV plus private data (social security number), can in some countries be used to open bank accounts, phone subscriptions etcetera.

Dump: A copy of the magnetric strip of a card. Can be written to a blank card to create a duplicate. This duplicate can then be used in physical stores to pay.

101/201: Indicates “high quality” type of card (no restrictions/pin code). First digit denotes magnetic or chip equipped card.

VBV: Verified by Visa, these cards require an additional password when used in online transactions.

Further reading

Magento Paypal payments may break after June 17th

Paypal announced they will activate a new security policy on June 17th. Shops that use old SSL software will not be able to process Paypal payments after June 17th.

Update: the policy has been postponed to October 1st, 2016

1 out of 5 incompatible

As of June 15th, there are 194.000 global Magento shops that use SSL. About 20% have old, incompatible SSL certificates. Scan by Magereport.

paypal incompatible shops

Md5 and sha1 are absolutely outdated technologies, which are rightfully outlawed by Paypal.

Interestingly, there are also 61.000 shops who do not use SSL at all.

Who is not affected?

You are probably safe if your shop uses a major Payment Service Provider (such as Adyen), in which case your shop does not talk directly with Paypal.

How to fix?

Blatant self promotion :) Move your shop to a competent Magento hosting company who resolves these things so you don’t have to worry about it.

If you are stuck with a regular hosting company (or manage it yourself), see the excellent instructions by Anna Volkl.