Shanghaied shops & ABS / Scout detection, boutiques, negozi

Shanghaied shops & ABS / Scout detection

An  unlocked shop is a great temptation for criminals. That’s why the last thing most shop owners do in the evening is check that the doors are locked. But in the online world, thousands have left their virtual shop doors open. And they got hacked – surprise!

Now the one in control of the shop is not the site owner but the cybercriminal, and he proceeds to step 2 of the plan: To add a small script that forwards him the credit card numbers entered into the shopping system. They can be sold on the black market or used directly for shopping.

It has happened to thousands of shops

This is a tricky situation: The old and trusted web shop is suddenly engaging in something that can be defined as “phishing” – without the shop owner knowing anything about it.

For the customers:

Customers need to be careful: If they ignore warnings and enter their credit card details, this data will be directly submitted to the criminals. Other than the theft and likely misuse of their credit card details, their device will not be affected. So remember, just your money is at risk, not your device.

For the shop owners:

ABS (and Scout) now detects their pages as “Phishing”. As a shop owner, you might be a bit confused because you did not set up a phishing site. Well, someone else did – in your name and on your property – and is attacking your customers. It’s getting personal, so get your holy wrath ready and kick them out! After you have cleaned up your page (including fixing all vulnerabilities) please contact us here, describe how you cleaned the page, and maybe even add the keyword “Magento” (this is most likely the shopping software you are using, right?). This will allow us to review the page and remove the detection & warning for your shop.

100 points for the good guys – High five!

Naming the issue

For the user, it is yet another Phishing site. For the shop owner it is their beloved shop. We are looking for a better, more specific name to differentiate between the traditional “this page was created solely for criminal activities” and the more timely issue of “this page got shanghaied and assimilated into a criminal gang”. As soon as we have found something good, we will rename the detection and update this blog post.

What happened anyway?

Now that all important things are said, it’s time for a quick and painless history lesson:

  • The Dutch researcher Willem de Groot discovered that shops were being hacked about a year ago
  • Reports showed that reporting the affected shops to their owners did not help as hoped
  • He reported his findings to Google Safe Browsing
  • As this problem is now escalating, we are stepping in to protect our customers:
    • We’ve got the list
    • We’ve written tools to verify that the shops are still infected
    • We’ve added the dangerous shops to our ABS/Scout protection (to be exact, to our Avira Url Cloud database AUC)
    • We will constantly monitor the shops to keep the list up-to-date

Why did it take us so long

Well, it actually didn’t. Those infected checkout pages have been detected and blocked as phishing all the time. You have been protected but the protection happened rather late in the process: Namely after spending some time in the infected shop, filling up your shopping basket, and looking forward to checking out your goods. That’s when we initially intervened. Now, to help you not waste time, we are now blocking the full domain.

By the way, if you want some more information on the topic of shanghaied shops check out the links below:

Stay safe, protect each other
Thorsten Sick

This post is also available in: GermanFrenchItalian

I use science to protect people. My name is Thorsten Sick and I do research projects at Avira. My last project was the ITES project where I experimented with Sandboxes, Sensors and Virtual Machines. Currently I am one of the developers of the new Avira Browser