Fake Google IDNs Used in Magento Skimming

[chris]

Another example of domain trust being abused by the bad guys, in this example it's card skimming attack on Magento ecommerce sites.

The Sucuri team found a website using the Magento e-commerce platform that had been blacklisted and was experiencing “Dangerous Site” warnings. It turned out that the site had been infected with a credit-card skimmer loading JavaScript from a legitimate-seeming Google Analytics domain. Closer inspection of the purported trusted Google site showed the URL to actually be “google-analytîcs[.]com” — not a Google site at all.

Further, once credit-card details are harvested, the data is sent to a remote server. This too uses a fake Google domain: “google[.]ssl[.]lnfo[.]cc.”

Tools like dnstwist are very effective at generating look-alike domains so you can track them down, but throw in gTLDs and it becomes almost impossible (.goog, .google google.whatever etc.).

You can check the full article here: https://threatpost.com/google-sites-card-skimming-thieves/146694/

Seems like we're seeing a lot more of these in recent months.

 

[Suzabro]

Another example of domain trust being abused by the bad guys, in this example it's card skimming attack on Magento ecommerce sites.





Tools like dnstwist are very effective at generating look-alike domains so you can track them down, but throw in gTLDs and it becomes almost impossible (.goog, .google google.whatever etc.).

You can check the full article here: https://threatpost.com/google-sites-card-skimming-thieves/146694/

Seems like we're seeing a lot more of these in recent months.

Scary stuff

 

[chris]

On some screens you can see the difference, but depending on the size and font it can look identical.

 

[Data Glasses]

It used to be you had to put a Url into caps on Sedo just to make sure it wasn't an Idn

 

[Scott7]

Great info, Chris. Similar crypto theft scams involving fake hardware wallet sites are on the increase too. Main thing there is never to enter your seed words using a keyboard. Always enter them on the hardware wallet itself.

 

[Erwin]

What will we have next..
dntrade.com.au
dntrade.au

 

[Data Glasses]

What will we have next..
dntrade.com.au
dntrade.au

I can't confirm but I believe chis has opted for DnTrade.Tv

 

[chris]

Tools like dnstwist are very effective at generating look-alike domains so you can track them down, but throw in gTLDs and it becomes almost impossible (.goog, .google google.whatever etc.).

Here's a very handy alternative to the command line called DNS Twister:

https://www.dntrade.com.au/threads/dns-twister-domain-variation-report-tool.12352/