During the past couple of weeks, CSIS has monitored a swarm of automated script injections being implemented against vulnerable web servers.
The purpose is to tempt victims from a legitimate website on to a fake shop, where a.o. cheap Nike AIR running shoes are offered at a price way below a half of the market price. This is of course an outright swindle, and you better keep far away from this type of offers, which for a good reason sound too good to be true.
The wave in question is primarily aimed at older ASP installations and has even been language adapted. Apart from Denmark, it also affects countries like Sweden, Germany, Norway, Finland, and Austria. Apart from ASP, popular software packages like Joomla and WordPress are also affected as well as – and not least – associated plugins.
Nike AIR is merely a part of a larger campaign, in which naive users are tempted to buy pirated goods manufactured in Asia. Apart from Nike, the same instigators also offer cheap goods from a.o. Gucci and ECCO. The Gucci campaign is injected in a manner similar to the Nike AIR campaign and is recognizable by a sub-site being made with the name “gucci2014.html” while the ECCO campaign uses “ecco-sko-børn-udsalg.html” (in English: ecco-shoes-children-sale.html).
ECCO
An example of a typical fake shop, which is active right now, is provided below:
The domain has been stripped of ’whois’ information using Whoisprotection.cc, and the servers are physically placed in China:
A list of legitimate Danish websites, which involuntarily have had the malicious scripts and references embedded and which thereby force their visitors on to swindle shops, can be found below:
rejseplanen.dk
maegleren.dk
mtgulve.dk
jzz.dk
copenhagen-sc.dk
fashionvictim.dk
kirkplusmaarbjerg.dk
dhic.dk
hvs-info.dk
tobiscafe.dk
markussen-is.dk
dknorthved.dk
emiliana.dk
jacobrisgaard.com
kristinas-hudpleje.dk
flytlie.dk
siforellana.dk
jamesil.dk
footflex.dk
[..]
On rejseplanen.dk, a sub-site is found which apparently uncritically allows for comments in their blog post function. Please note that here, contrary to other similar examples, it is not live script injections but blog posts. This can, of course, be bad but it is not as serious as regular script injections.
Apart from moving visitors directly on to the fake shop, URL abbreviators such as bit.ly as well as simple script obfuscations are used.
The domains, which are the most active right now and which all have been blocked in CSIS Secure DNS, include for example:
bestbag-2014.com
js-jpshop.com
myjpstore.com
The domains are a.o. resolving to the IP address 64.235.47.169, where it is easy to reveal that this server is a nest of lots of fake domains.
A small fraction can be found below (spacing inserted by CSIS):
87 bag.net
bv bag.net
bv sbag.net
lv- bag.net
87 bagss.net
20 13-bag.net
fa ke-brand.net
ch romehearts-sale.com
sh ockmarketing.com
sa le-sshop.com
tra de-bag.com
js- jpshop.com
ba gs90bag.com
ba gfaves.com
[..]
CSIS continues to block these domains in CSIS Secure DNS and will generally warn about shopping in these shops. When buying goods there, you either won’t receive anything or you will only receive low quality pirated goods.