Credit card skimming on the rise for the holiday shopping season

As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft.

One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything.

When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.

One particular skimming campaign we have been following picked up the pace drastically in October after a lull during the summer. With hundreds of stores compromised, you may come across it if you shop online on a regular basis.

The Kritec campaign

We first discovered this credit card skimming operation back in March 2023, as it stood out from the rest due to its large volume. The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages.

The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.

Threat actors ramp up their activity just in time for the holiday season

In April this skimming campaign reached a peak and then slowed down during the summer. However it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.

The infrastructure is located on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.

How to shop safely online

If you are shopping online, and especially via smaller merchants (i.e. not Amazon, Walmart, etc), you absolutely need to be extra careful. Unless you are able to perform a full website audit yourself, you simply can’t be sure that the platform hasn’t been compromised.

Having said that, if the website looks like it hasn’t been maintained in a while (for example it is displaying outdated information, such as ”Copyright 2018′) you probably should stay away from it. Most compromises happen because a website’s content management system (CMS) and its plugins are outdated and vulnerable.

There are tools that can also detect malicious code embedded into websites. Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses. But because threat actors are constantly swapping their infrastructure, it is also a good idea to have some kind of heuristic detection for things like malicious JavaScript snippets.

Malwarebytes Premium offers web protection and is complemented by the Malwarebytes Browser Guard extension for more advanced in-browser detection.

We are also publishing a list of the infrastructure that includes domains we had previously not seen but obtained via retrohunting, so that those can be included in community blocklists ingested by third-party products.

Indicators of Compromise

Kritec domains

oumymob[.]shop
nujtec[.]shop
lavutele[.]yachts
tochdigital[.]pics
gemdigit[.]pics
vuroselec[.]quest
bereelec[.]quest
psyhomob[.]sbs
antohub[.]shop
kritec[.]pics
daichetmob[.]sbs
smestech[.]shop
interytec[.]shop
ribtech[.]shop
podobadigit[.]quest
yaknatec[.]pics
stacstocuh[.]quest
keistodigit[.]pics
shumtech[.]shop
metsimob[.]yachts
hovarelec[.]shop
vdoxdigit[.]pics
vushtech[.]sbs
tekeiteh[.]quest
tastmob[.]yachts
krasoticmob[.]space
pyatiticdigt[.]shop
frikctictempo[.]fun
secreelec[.]shop
yelyotech[.]pics
statemob[.]yachts
sviisdigit[.]quest
garnimob[.]sbs
povomob[.]shop
dvojnatech[.]sbs
petlelec[.]quest
helotec[.]pics
xiloditg[.]yachts
paunit[.]pics
rithdigit[.]cyou
dayspiselec[.]quest
uznatec[.]shop
nespomob[.]sbs
nebiltech[.]shop
bufelec[.]yachts
ledeehub[.]shop
greentechify[.]digital
ecosustain[.]digital
innovate360[.]digital
wellbeingtech[.]digital
inspireworks[.]digital
avtomob[.]sbs
otkridigit[.]quest
balacdigit[.]pics
schetdigit[.]pics
bantec[.]pics
jantech[.]quest
shotsmob[.]sbs
podbotec[.]sbs
shokomob[.]sbs
resuelec[.]yachts
xorotelec[.]quest
rozkatech[.]yachts
nasnamob[.]quest
ensdigit[.]quest
genlytec[.]us
onitzech[.]sbs
odintech[.]sbs
rebomob[.]quest
flattec[.]sbs
noanotech[.]sbs
fadyit[.]pics
lielecef[.]cyou
inlinedigital[.]pics
fantodelt[.]sbs
volosmob[.]pics
zahidelt[.]sbs
dychtech[.]shop
samopotele[.]yachts
stimob[.]pics
jestmob[.]pics
weitmob[.]shop
poidelt[.]sbs
perstech[.]shop
telehub[.]shop
projectmob[.]sbs
imhoelec[.]yachts
plactech[.]quest
sakwohub[.]shop
volonmob[.]sbs
lehelec[.]yachts
tochelec[.]quest
prijetech[.]shop
supermob[.]network
eluntec[.]info
chutech[.]works
stonworks[.]vip
hapermob[.]shop
seletech[.]markets
calcdigit[.]pics
shellmob[.]fun
valetec[.]pw
votedigit[.]shop
encit[.]yachts
defimob[.]bar
goponl[.]online
yukmob[.]store
tuchtoch[.]shop

sasaiso[.]cfd
aifanul[.]yachts
soplelec[.]pics
wudutec[.]shop
vonderdigit[.]quest
mutelec[.]quest
gemstec[.]yachts
genertech[.]pw
genstech[.]shop
effecttec[.]shop
bespitech[.]sbs
otpusmob[.]shop
yedelec[.]sbs
chokdigit[.]pics
poptec[.]sbs
aurelec[.]shop
stramdigital[.]yachts
sotkelec[.]yachts
funkomob[.]sbs
beatmob[.]pics
osobtech[.]yachts
kruktech[.]shop
volosmob[.]sbs
provtec[.]shop
dvanatech[.]yachts
druzit[.]quest
yololive[.]sbs
bachitech[.]pics
kamitac[.]shop
karadigit[.]quest
gachit[.]yachts
yalomob[.]pics
druzit[.]quest
mopedigit[.]shop
macsetech[.]online
strajit[.]yachts
istoretc[.]shop
trepmob[.]sbs
animtech[.]quest
chekeelec[.]quest
kinotec[.]pics
zamlmob[.]pics
leritgo[.]sbs
autotec[.]shop
helinit[.]yachts
shpitech[.]quest
seletmob[.]online
hhfnsfsga[.]sbs
dvanatech[.]yachts
lemodigit[.]online
ttewe[.]quest
efromob[.]site
selentech[.]click
centridig[.]store
timetok[.]online
musatech[.]quest
digitstel[.]site
sintec[.]store
eleconuch[.]click
deletouch[.]shop
topostock[.]shop
dujetech[.]yachts
fletmob[.]sbs
semebit[.]online
kontec[.]quest
moldmob[.]site
lemtok[.]store
domelec[.]shop
hemidigit[.]click
teletoch[.]pics
temtoch[.]site
intescon[.]store
genimmob[.]online
teledomn[.]quest
stemtec[.]click
gemofab[.]store
tenastoc[.]click
kiligob[.]site
pelstec[.]online
vetitec[.]quest
denlog[.]shop
lemnidig[.]shop
fasfad[.]site
lishetoc[.]shop
ruepliz[.]click
stiornec[.]store
daisnetech[.]site
yavipustec[.]online
bednedigit[.]quest
sipletoc[.]site
olinmasot[.]click
verecey[.]quest
oleketec[.]store
etibuz[.]shop
comepetec[.]click
stiildig[.]store
hemogom[.]online
dzelonline[.]shop
tuctec[.]site
obogtec[.]quest
moboed[.]icu
shonowor[.]site
idopos[.]shop
mylase[.]click
henove[.]store
frodetraho[.]click
tromtustec[.]quest
bulkmob[.]store

tisimy[.]quest
depeyo[.]online
livepolitical[.]sbs
shareeffectiv[.]yachts
basewhit[.]quest
deliverclos[.]online
changeyellow[.]cfd
writefederal[.]click
dowonderful[.]store
deliverclos[.]sbs
stopfurther[.]sbs
usespecial[.]quest
startculturl[.]site
followmilitry[.]cfd
intesres[.]quest
androton[.]online
begistic[.]site
heptombo[.]store
felestech[.]click
gelimog[.]online
hasekytop[.]click
dekrenof[.]quest
gerelec[.]site
beresor[.]store
lenosmac[.]shop
hustiontec[.]store
teletouch[.]click
pilozol[.]quest
belmrs[.]click
jetomob[.]shop
gelenhan[.]online
lokotec[.]quest
plasmob[.]pics
shumocom[.]site
biposou[.]online
golyter[.]shop
cuvanil[.]quest
trevago[.]site
domog[.]shop
sgolen[.]store
vjevec[.]quest
spilotich[.]online
babtek[.]click
vozvrec[.]store
irlatok[.]shop
vkiten[.]click
golyadik[.]site
oklasdon[.]online
mihayam[.]shop
cutele[.]shop
hoohotic[.]click
pubupu[.]quest
genodigit[.]store
djutech[.]online
voouvdigit[.]site
zizitok[.]shop
ulyatec[.]quest
tuchtok[.]site
justlice[.]store
enisemol[.]click
tululudoc[.]online
nogtech[.]site
mageants[.]sbs
deshvoc[.]store
shumtech[.]shop
metsimob[.]yachts
bolotoc[.]store
nepochtec[.]shop
bibstele[.]online
nechuvelec[.]click
gastdigit[.]quest
arastek[.]online
galeglob[.]quest
boroshtic[.]click
prodovjtec[.]shop
denetok[.]site
kalomob[.]store
avordic[.]site
chasoc[.]quest
jujoc[.]online
helostop[.]shop
zlakovos[.]click
obomob[.]site
miskotec[.]store
shakorot[.]site
nemojmob[.]online
najitel[.]quest
ragutech[.]shop
pershtec[.]click
nadoelec[.]space
odnydigit[.]quest
yamatel[.]store
jezesec[.]quest
samknut[.]click
imperel[.]site
pricetool[.]store
donashhack[.]online
chelotec[.]quest
stelor[.]shop
udamos[.]online
kurkumin[.]click
vedldeno[.]store
oifilon[.]site
igusfil[.]shop
cosmafit[.]click
tanuatech[.]quest
ifilone[.]site
sourite[.]online
becasotec[.]site

Kritec IPs

195[.]242[.]110[.]102
195[.]242[.]110[.]103
195[.]242[.]110[.]112
195[.]242[.]110[.]130
195[.]242[.]110[.]131
195[.]242[.]110[.]134
195[.]242[.]110[.]135
195[.]242[.]110[.]136
195[.]242[.]110[.]137
195[.]242[.]110[.]139
195[.]242[.]110[.]143
195[.]242[.]110[.]158
195[.]242[.]110[.]162
195[.]242[.]110[.]166
195[.]242[.]110[.]168
195[.]242[.]110[.]171
195[.]242[.]110[.]172
195[.]242[.]110[.]174
195[.]242[.]110[.]179
195[.]242[.]110[.]181
195[.]242[.]110[.]182
195[.]242[.]110[.]185
195[.]242[.]110[.]186
195[.]242[.]110[.]187
195[.]242[.]110[.]188
195[.]242[.]110[.]189
195[.]242[.]110[.]190
195[.]242[.]110[.]191
195[.]242[.]110[.]196
195[.]242[.]110[.]197
195[.]242[.]110[.]205
195[.]242[.]110[.]206
195[.]242[.]110[.]231
195[.]242[.]110[.]232
195[.]242[.]110[.]235
195[.]242[.]110[.]237
195[.]242[.]110[.]24
195[.]242[.]110[.]242
195[.]242[.]110[.]25
195[.]242[.]110[.]250
195[.]242[.]110[.]251
195[.]242[.]110[.]28
195[.]242[.]110[.]3
195[.]242[.]110[.]30
195[.]242[.]110[.]32
195[.]242[.]110[.]33
195[.]242[.]110[.]34
195[.]242[.]110[.]37
195[.]242[.]110[.]40
195[.]242[.]110[.]41
195[.]242[.]110[.]46
195[.]242[.]110[.]58
195[.]242[.]110[.]59

195[.]242[.]110[.]60
195[.]242[.]110[.]72
195[.]242[.]110[.]73
195[.]242[.]110[.]77
195[.]242[.]110[.]79
195[.]242[.]110[.]80
195[.]242[.]110[.]83
195[.]242[.]110[.]84
195[.]242[.]110[.]87
195[.]242[.]110[.]95
195[.]242[.]110[.]99
195[.]242[.]111[.]102
195[.]242[.]111[.]11
195[.]242[.]111[.]117
195[.]242[.]111[.]12
195[.]242[.]111[.]120
195[.]242[.]111[.]147
195[.]242[.]111[.]148
195[.]242[.]111[.]152
195[.]242[.]111[.]214
195[.]242[.]111[.]215
195[.]242[.]111[.]217
195[.]242[.]111[.]224
195[.]242[.]111[.]25
195[.]242[.]111[.]29
195[.]242[.]111[.]36
195[.]242[.]111[.]37
195[.]242[.]111[.]38
195[.]242[.]111[.]40
195[.]242[.]111[.]42
195[.]242[.]111[.]44
195[.]242[.]111[.]49
195[.]242[.]111[.]50
195[.]242[.]111[.]53
195[.]242[.]111[.]56
195[.]242[.]111[.]57
195[.]242[.]111[.]58
195[.]242[.]111[.]59
195[.]242[.]111[.]6
195[.]242[.]111[.]7
195[.]242[.]111[.]76
195[.]242[.]111[.]77
195[.]242[.]111[.]84
195[.]242[.]111[.]85
195[.]242[.]111[.]86
195[.]242[.]111[.]87
195[.]242[.]111[.]94
195[.]242[.]111[.]95
195[.]242[.]111[.]96
45[.]88[.]3[.]114
45[.]88[.]3[.]12
45[.]88[.]3[.]122

45[.]88[.]3[.]123
45[.]88[.]3[.]134
45[.]88[.]3[.]138
45[.]88[.]3[.]139
45[.]88[.]3[.]141
45[.]88[.]3[.]142
45[.]88[.]3[.]144
45[.]88[.]3[.]145
45[.]88[.]3[.]146
45[.]88[.]3[.]148
45[.]88[.]3[.]149
45[.]88[.]3[.]154
45[.]88[.]3[.]167
45[.]88[.]3[.]170
45[.]88[.]3[.]201
45[.]88[.]3[.]21
45[.]88[.]3[.]213
45[.]88[.]3[.]218
45[.]88[.]3[.]219
45[.]88[.]3[.]225
45[.]88[.]3[.]227
45[.]88[.]3[.]23
45[.]88[.]3[.]235
45[.]88[.]3[.]237
45[.]88[.]3[.]238
45[.]88[.]3[.]239
45[.]88[.]3[.]240
45[.]88[.]3[.]244
45[.]88[.]3[.]245
45[.]88[.]3[.]248
45[.]88[.]3[.]25
45[.]88[.]3[.]251
45[.]88[.]3[.]253
45[.]88[.]3[.]34
45[.]88[.]3[.]35
45[.]88[.]3[.]40
45[.]88[.]3[.]49
45[.]88[.]3[.]52
45[.]88[.]3[.]60
45[.]88[.]3[.]61
45[.]88[.]3[.]63
45[.]88[.]3[.]70
45[.]88[.]3[.]78
45[.]88[.]3[.]79
45[.]88[.]3[.]81
45[.]88[.]3[.]82
45[.]88[.]3[.]83
45[.]88[.]3[.]85
45[.]88[.]3[.]95
45[.]88[.]3[.]98

https://blog.malwarebytes.com/feed/

Leave a Reply