Wanted: online stores that have quit

Are you planning to shut down your online store? Sorry to hear that. However, your domain name could be a valuable tool to trap hackers. Please consider donating your online presence to the good cause: fighting online fraud.

As e-commerce crime becomes more sophisticated, it becomes harder to track new attack methods. Currently, new techniques are discovered like this:

  1. Consumer sees unauthorized payment, calls bank
  2. Bank gets lots of complaints, identifies common denominator, calls the likely compromised merchant
  3. Merchant asks agency or ISP to launch security investigation
  4. Technician sifts through millions of log entries
  5. Technician curses, finds hack entry point and identifies new attack method

Doesn’t sound very efficient, right?

Getting ahead of fraud

Holy grail: identify new attacks before they can do any damage. This would be a whole lot easier if we could filter out legitimate traffic.

One approach is to set up a new (fake) store that doesn’t have any real customers (aka a honeypot). However, apart from the work involved with creating a realistic looking store, it has a major disadvantage: it lacks credibility. It is not included in any search engine result or in any list that circulates among fraudsters. And criminals browsing the site will quickly see that it is fake. So the chances of actual hack attempts are slim.

The best approach would be to use a real store without real customers. One that has been around for a while but has gone out of business. This store likely sees hack attempts on a daily basis and is included in lists of target e-commerce sites that are sold on the dark web. Apart from search engine traffic, any other traffic is likely suspect. This would tremendously reduce the analysis effort.

How does it work

We would copy your template (just the looks, not any code. history or data!) and point your domain name to a special equipped server.

Then, all the requests to authorized endpoints (such as the backend panel) will be logged. As these endpoints are not in use anymore, any traffic to them is highly suspicious and will be investigated. If a source IP sends requests beyond a certain threshold, it will get added to a list of known hack networks. Other stores can use this list to block access to their stores. And when new attack methods are discovered, they will be published and proper protection can be made.

Please contribute

If you plan to let your store domain name expire, please donate it instead. With your help, we can:

  1. Find new botnet IPs of criminal gangs
  2. Monitor and discover new attack methods
  3. Proactively protect e-commerce

Get in touch!

I am the creator of MageReport and have been tracking payment skimmers since 2015. My company Sanguine Security provides security solutions for online stores. If you need a solid cleanup & root cause analysis, do get in touch.