For at least six months, the online store at the National Republican Senatorial Committee site had “hidden skimming software” in the form of malicious JavaScript code. It was far from the only store hackers had compromised via exploiting vulnerabilities in unpatched versions of ecommerce platforms, such as Magento. In fact, at least 5,925 stores were unwittingly participating in online skimming attacks run by multiple cybercriminal groups. Dutch researcher Willem de Groot estimated that 85 stores are compromised daily.
When De Groot wrote about the nearly 6,000 online shops infected with skimming code, he explained:
Once a store is under control of a perpetrator, a (JavaScript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant.
After De Groot published his research, which included a list of infected stores, many online shop owners were in denial about being infected, claiming to be safe because the store used HTTPS or a third-party provider handled payments. Some even quietly removed the malware and then threatened to sue him if he didn’t remove the store from the list that was originally published on GitHub.
But without any warning, GitHub deleted the list of stores that contained skimming malware.
Willem de Groot While De Groot understood GitHub didn’t have the resources to investigate every DMCA notice, he was surprised “that GitHub censors data so easily.” He argued that 332 online stores had removed the malware right after the list went public, but another 170 had been compromised.
He believed that making the list public served as a warning to potential shoppers and as notification of infection to online store owners. He added, “Between Oct. 10 and Oct. 14, 631 stores have been fixed.”
So, after GitHub “censored” his research by deleting it on Oct. 14, De Groot moved his research data to GitLab; except GitLab also deleted the list.
On Hacker News, De Groot shared the statement about the takedown that GitLab had sent him.
GitLab has opted to remove the list of servers that you posted in your snippet. GitLab views the exposure of the vulnerable systems as egregious and will not abide it. While GiLab reserves the right take further action, up to and including termination (https://about.gitlab.com/terms/), we have chosen not to terminate or lock your account.
Please know this decision was not reached lightly, and we appreciate your understanding on the matter.
Yet De Groot disagreed, saying:
For the record, I didn't publish vulnerable systems, I published stores that have malware.
Whether or not the discussion on Hacker News played into the decision, GitLab had a change of heart.
Sid Sijbrandij, the CEO of GitLab, called De Groot and apologized. GitLab also published an apology, explaining that GitLab strongly believes in responsible disclosure and “publishing a list of servers that are vulnerable or hacked without contacting the owner first and giving them time to remedy the situation is not OK.”
Sijbrandij added:
But in this case, the victim of the vulnerability is not only the owner but also the users of the web store. The owners of web stores have a responsibility to their users. And it is in the user’s interest to have the list published so owners fix their stores. We currently think that the interest of the user weights heavier. Therefore, we reinstated the snippet.
GitLab As of Oct. 14, there were 5,484 stores on the list. De Groot previously estimated that about 85 stores are infected every day. Multiple cyber-thug groups are compromising online stores with “three distinct malware families with a total of nine variants” of skimming JavaScript malware code. This would not be possible if store owners would be responsible for maintaining their sites by patching vulnerable ecommerce software.
Store owners, De Groot said if you stopped your “sloppy maintenance” and cleaned your store, shoot him an email, preferably with proof, and he will be happy to remove your store from the list of compromised online shops. If you are not on the list, but don’t bother to patch your site when a software update is available, then it is just a matter of time until your vulnerable site is hacked and criminals starting skimming your customers' payment information.
Shoppers, in the end, you have been warned so that you don’t buy something from an infected site and end up having your payment data skimmed and sold. Unless you like contacting the bank or credit card company to dispute fraudulent charges and then waiting for a new card, you should steer clear of any store on the list.