Hackers cop a FILA thousands of UK card deets after slinking onto clothing brand’s servers


Sportswear brand FILA is the latest company to fall victim to the card-stealing JavaScript infection that menaced British Airways and Ticketmaster last year.

Russian security house Group-IB said it discovered and reported to FILA UK an infection known as GMO that was active on the site for the last four months and may have sniffed the payment card information of thousands of customers.

What’s worse, the researchers reported that, despite multiple attempts to reach FILA, they have been unable to get the card-stealing code removed.

FILA did not respond to our request for comment on the allegation.

According to Group-IB’s threat hunters, the GMO infection is very similar to the card-harvesting JavaScript in that an attacker covertly slips onto the server of the targeted company and collects card numbers locally – only later updating them to a collection server at a set time. Such attacks can be particularly difficult to detect as they do not produce a steady stream of traffic out of the infected machine.

“One-line card stealing code downloads a JavaScript Sniffer once a customer lands on a checkout page, which intercepts credit card data and sends it to local storage. After, the payment cards’ details are sent to the JS Sniffer’s gate which is located on the same server as a JS Sniffer script itself,” said Group-IB CTO Dmitry Volkov.

“Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS [content management system], used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods,” Volkov added.

Just how many customers could have fallen victim to the attack is difficult to say. Group-IB used a loose estimate based on monthly traffic figures and a 1 per cent conversion rate (ie, 1 per cent of people who visit the site end up buying something) to arrive at an estimated figure of around 5,600 compromised cards.

Group-IB said that FILA is likely not alone in falling victim to this latest variation of JavaScript malware harvesters. The researchers found six other unnamed websites to be similarly infected with the card-stealing scripts, and will be reaching out to US and UK police to help further suss out and stop any active infections. ®

Sponsored: Top 5 Threat Hunting Myths