Fake shops are making a killing from counterfeit trainers
29th June, 2020
Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.
Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.
Counterfeit shoes, clothing and other accessories are estimated to lose the industry more than €26 billion each year in the EU alone, while the loss due to all online counterfeiting is estimated at $323 billion a year. The OECD estimated that over 3% of all imports worldwide are counterfeit.
Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:
- Payment is accepted, but no goods are delivered.
- At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
- Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.
Trainers are the most counterfeited goods
We currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.
Corroborating this, European customs authorities handle more cases of counterfeit sports shoes than any other type of product.
Fake shops by type of goods sold
Governments Introduce Coronavirus-specific Cybercrime Legislation
13th April, 2020
Governments and organisations globally have been making announcements that just a few weeks prior would have been unprecedented. As more of our lives are moving online in an attempt to adapt to changes brought about by the Coronavirus pandemic, many are trying out services they were previously unfamiliar with, such as video conferencing or online grocery shopping. While others are finding themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using unfamiliar software and services has created an environment ripe for exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see high volumes of Coronavirus-inspired fake shops, advance fee fraud, phishing and malware lures, this post covers some of the trends Netcraft has observed since our previous posts on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to support their citizens through the pandemic. Cybercriminals are taking advantage of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK Government and offers “credit card refunds” for “COVID-19 support”. The fraudulent site uses UK Government branding and collects the victim’s personal information – including their credit card number, date of birth and telephone number.
Coronavirus Cybercrime Scaling Up
2nd April, 2020
Just like Coronavirus itself, the Coronavirus-themed cybercrime it has spawned is quickly becoming a pandemic of its own. Cybercriminals have been quick to take advantage of the media attention on the story, using lures with a Coronavirus theme. Many of the attacks Netcraft has observed have used the fear and uncertainty surrounding the situation to trigger a response from their victims.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. This post covers some of the trends Netcraft has observed since our previous post on the topic.
Coronavirus certificates
Analysis of certificate transparency logs for new certificates covering hostnames containing keywords “COVID” and “Coronavirus” shows increasing numbers of certificates are being issued for Coronavirus-themed hostnames.
Whilst some of the certificates included in the graph will be being used for legitimate purposes, many certificates – particularly those which have been registered since the outbreak started – are being used to spread disinformation, host fake shops and pharmacies, serve phishing websites and to disseminate malware.
Coronavirus Cybercrime
27th March, 2020
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly after it was declared a pandemic by the WHO. Scammers have been quick to take advantage of the massive worldwide attention to Coronavirus (COVID-19), and are increasingly making use of it as a theme for online fraud.
Netcraft is the largest provider of anti-phishing takedowns in the world and provides countermeasures against some 75 other types of cybercrime for governments, internet infrastructure and many of the world’s largest banks and enterprises. Coronavirus-themed cybercrime accounts for around 5% of all the attacks we perform countermeasures against, even without accounting for attacks that may otherwise be attributed to existing phishing targets.
Coronavirus Phishing attack impersonating the World Health Organisation
Browsers on track to block 850,000 TLS 1.0 sites
3rd March, 2020
More than 850,000 websites still rely on the outdated TLS 1.0 and TLS 1.1 protocols that are scheduled to be blocked by the majority of web browsers this month. These older versions of the Transport Layer Security protocol, which date back to 1999 and 2006, are vulnerable to numerous practical attacks that have been resolved in later versions. Among the sites still using these outdated setups are major banks, governments, news, and telecoms companies. Big and small alike, such websites are about to be derailed by full-page browser warnings, with the added prospect of getting blocked entirely later on.
This all comes despite more than a year’s notice. Back in late 2018, the four largest browser vendors — Mozilla, Google, Apple, and Microsoft — jointly announced the deprecation of TLS 1.0 and 1.1, with support to be removed from their browsers in March 2020 or shortly thereafter. But a number of notable sites have not heeded these warnings, and have so far failed to switch to a version of TLS more modern than 1.0.
Firefox Nightly and Beta have already removed support for TLS 1.0 and TLS 1.1 and show a full-page interstitial warning, although they currently allow users to bypass it and to continue accessing the affected website.
Included in the list is Huawei, which is already under fire for its less than reassuring security practices. But it’s not just Huawei that’s letting TLS 1.0-only servers slip through the cracks — the UK’s largest mobile network, O2, uses a TLS 1.0-based redirect services on https://o2.co.uk. Governmental websites are also no exception, including the South Africa Justice department, justice.gov.za, and the California Tax Service Center, taxes.ca.gov. Usage of TLS 1.0 is also particularly prevalent on less popular sites or internal services — places where browser security warnings may go unnoticed for some time.
Uniqlo and The Guardian among thousands of sites loading malicious code from S3
29th August, 2019
Updated 05/09/2019: Fast Retailing Co has stated that the credit card fields were contained within an iframe, which meant they would not be collected by this generic skimmer. However, the remainder of the personal information provided by customers would have still been vulnerable if at least one non-credit card field happened to match a regular expression designed to find credit card numbers. Fast Retailing has stated it has “verified its order history database records for last several years and confirmed that there are no inputs in existing orders matching a regular expression designed to find credit card numbers in any non-credit card fields. While the malicious code would have been executed by visitors, based on the information available to Fast Retailing it is unlikely that customers who successfully placed an order would have had their personal data stolen”.
Uniqlo's website was infected with a shopping site skimmer for more than a week in May this year, following the addition of malicious JavaScript. The injected code was designed to silently 'skim' part of the checkout form and send a copy of the customer's details to the criminals under certain conditions. In this case, the attack was not successful as the credit card details were not vulnerable — Uniqlo's Australian site uses an iframe-based credit card form which means it was isolated from the malicious JavaScript.
Thousands more sites have also been compromised in recent months via the same underlying vulnerability that allowed criminals to alter the behaviour of the Uniqlo website — unsecured Amazon S3 buckets. The criminals took a shotgun approach to compromising as many files as possible. They got lucky with a bucket containing JavaScript files used on Uniqlo's site, one of the most visited shopping sites on the internet.
Skimmer on Uniqlo's website
We detected that Uniqlo's Australian online shop was running malicious JavaScript on 18th May 2019. While the skimmer was active, a copy of any data that was entered during the checkout process on Uniqlo’s Australian site would have been silently sent to a dropsite operated by criminals if it matched a regular expression designed to find credit card numbers.
Personal data entered into Uniqlo Australia's checkout page may have been stolen
E-commerce is responsible for nearly 10% of Uniqlo Japan's sales and Uniqlo's parent company Fast Retailing Co is one of the world's largest and most successful retailers, worth $62 billion. Uniqlo is the most-visited online shop on which we have found a skimmer to date. This is the second attack to which Uniqlo has fallen victim in recent times; in May it was announced 460,000 users of the shopping site may have had their details stolen following a credential stuffing attack.
The criminals altered the website's behaviour by adding obfuscated JavaScript code to the all of the resources Uniqlo hosts within its S3 bucket, hoping that at least one would be loaded by the website. By deobfuscating the code, we can reveal the data it captured and to where the stolen data would have been transmitted.
The code captured every input on the page accessible to the script
The code was designed to capture all of the data entered by customers into the checkout form. However, customers would not have had their credit card details stolen by the skimmer, as this part of the checkout form is loaded in an isolated iframe or is processed externally via Paypal. If the injected code did not find any other customer details where at least one field matched a regular expression designed to find credit card numbers, none of the data would be stolen.
Unlike the skimming code used in the attacks against Cleor and British Airways, this JavaScript code is very generic and is designed to function on multiple websites without modification. It harvests all form fields (by looking for input, select, and textarea elements) whether or not they are part of a specific checkout form.
![The captured data is transmitted to cdn-c[.]com](/images/2019/06/uniqlo-loadimage.png)
The captured data is transmitted to cdn-c[.]com
At the time we discovered the attack, the Last-Modified header from the infected JavaScript files within the S3 bucket suggested that they had been harbouring malicious code since at least 13th May.
Uniqlo Australia was Uniqlo's only online shop that appeared to be affected by this attack. We alerted Uniqlo to the compromise and the malicious code was removed from the affected files on 21st May.
Unsecured S3 buckets
This type of attack — in which criminals target less-secure parts of an organisation's supply network — are known as supply chain attacks. This is not the first time supply chain attacks have been used to insert malicious JavaScript into websites. However, we have not identified the exploitation of unsecured S3 buckets to inject code intended to steal personal data entered into a website until recently.
Amazon provides customers with the ability to configure the permissions on their S3 storage with Access Control Lists (ACLs). Using ACLs, users can specify who may view, edit, delete and upload files. In Uniqlo's case, the ACL was misconfigured, allowing any user to modify any of the files within the bucket:
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AllUsers"
},
"Permission": "FULL_CONTROL"
},
The criminals took advantage of the lax permissions to add malicious code to every JavaScript file found in the S3 bucket. Uniqlo altered the permissions on the bucket after we provided them with the details of the incident.
Misconfigured permissions on S3 buckets have been the centre of a number of data leaks in the past few years with the NSA and GoDaddy among those affected.
A not-so-unique attack
The Guardian and HuffPost have also loaded compromised resources on their websites, though no customers were affected as the malicious code was loaded in an iframe. The malicious code is intended to work in resources loaded in <script> tags — when the criminals compromise other file types, the malicious code often does not work as intended. If the criminals had been targeting The Guardian, they could have inserted a very convincing phishing site into the article.
The Guardian's website served card stealing code
Software vendors Picreel and Translation Exchange, both of whom provide resources that are loaded on their customers' sites were also compromised. By adding malicious code to just these two buckets, the criminals infected over a thousand sites.
Criminal infrastructure
In all of these cases, the criminals have used the same attack vector and malicious skimming code. We have so far seen a total of six different dropsites that receive credentials from sites compromised in this way:
| Domain | Registered | Registrar | IP Address | Country | Hosting Company |
|---|---|---|---|---|---|
ww1-filecloud[.]com |
2019-01-30 | WebNIC | 45.114.8.162 | Hong Kong | Cloudie Limited |
font-assets[.]com |
2019-04-22 | Shinjiru | 179.43.144.137 | Panama | Private Layer |
cdn-c[.]com |
2019-05-13 | Namecheap | 94.177.123.154 | Russia | QHoster |
cdn-imgcloud[.]com |
2019-05-16 | Shinjiru | 45.114.8.160 | Hong Kong | Cloudie Limited |
js-cloudhost[.]com |
2019-05-17 | Ilovewww | 45.114.8.163 | Hong Kong | Cloudie Limited |
wix-cloud[.]com |
2019-05-17 | Shinjiru | 94.177.123.158 | Russia | QHoster |
This suggests that these attacks are carried out by a single criminal group as part of the same campaign. It is common for criminals to carry out campaigns with more than one dropsite as it makes it harder for their operation to be detected and stopped.
Protect yourself
It is very difficult even for the most tech-savvy consumers to spot a JavaScript skimmer when browsing, making skimmers an invisible threat to online shopping safety. Netcraft's browser extensions and Android app provide protection against online threats, including shopping site skimmers, other forms of malicious JavaScript and phishing.
Companies with customers within the EU that fail to adequately protect personal information can face severe penalties; since GDPR was implemented in 2018, fines of €20 million or up to 4% of annual global turnover can be issued to non-compliant companies. British Airways currently faces a £183m fine from the ICO following a similar attack against its customers. A number of other high-profile shopping sites have recently fallen victim, including Misfit Wearables and ARCTIC.
Netcraft offers a range of services, including web application security testing, to protect organisations and their customers against malicious JavaScript and other forms of attack.