Top Ranking Alexa Sites Compromised With Web Skimmer & Crypto Miner

Palo Alto Networks indicates that the high-traffic Alexa sites have been infected with crypto-miners and credit or debit card skimmers. Alexa is an online platform which scores and identifies websites based on ratings, performance, traffic as well as other metrics.

The  Domain affected with the Crypto miner and Credit & Debit card skimmer ;

  •                 Alex Rank =  1494                   Indonesia news websites
  •                        Alex Rank =  607                     Italy number one website that provides                                                                                                    different service 
  • www.heureka.CZ         Alex Rank =  5204                  Eastern Europe's biggest e-commerce site
  •         Alex Rank =   6579                  Popular Bangladesh News Website 

Hidden Cryptocurrency Miners 

Coinhive was a service that offers Monero a JavaScript miner. In March 2019, its shut down, mainly because malicious hackers have extensively exploited and abusing its service. Coinhive 's mineral script also provides two websites.

In this scenario, the attackers seem to have hurried to myself and neglected to configure it correctly, most of the attackers guarantee that a compromise device's power consumption remains low to prevent detection. The coin miner can also check how much CPU is used for a goal.

Over 60 URLs were identified in and with Coinhive JavaScripts mining codes. Whenever a user visits any of the above websites, the combination script will start running immediately.

Dangerous External Links Ads Injection

"Attackers inserted malicious links into car advertisements, which redirected visitors interested in the vehicle to a malicious site that injected them with the JSEcoin coin mining script,"

Although the scripts still run, despite JSEcoin's shutdown this April, malicious actors can no longer receive mined currency.

The picture below shows that many of these damaging external links on a one-page, infected website were placed: 

Credit & Debit card skimmer Attack

Credit & Debit card skimmer is also known has Megacart. Magecart attacks by using a malicious payload at the base of a web page to obtain credit card data. Researchers have discovered that online store has links that loads credit cards skimming scripts in its source code.

    Although the link appears to be hosted in the domain it actually redirects to other malicious  website

Which implies that hackers will load inject scripts into a page while concealing them into the affected domain's own redirect pages.

Palo Alto Networks Research also reveals the skimmer would 

  • Add event listener for [input, select, form, button, a, img].
  • When a number string passes credit card validation checks, it sends the information out
  • Construct the collection server URL and parameters, then send the information out. 

"Our research highlights that users need to exercise caution, even when visiting popular, apparently reputable websites. These are the same sites likely to generate the most income for attackers focused on malicious coinmining and web skimming,"

These conclusions happened at a time period, as a consequence of the COVID-19 pandemic, consumer internet purchases increased by at least 33%. Consumer should keep their anti-virus up-to - date to help protect them from such attacks

Previous Post Next Post