Listed: https://gwillem.github.io/2016/10/11/5900-online-stores-found-skimming/
Checked: http://urlquery.net/report.php?id=1476203674979
jQuery retirable: -http://www.gildan-indonesia.com/
Detected libraries:
jquery - 1.7.2 : (active1) -http://www.gildan-indonesia.com/skin/frontend/mts/default/mobilemenu/jquery-1.7.2.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
prototypejs - 1.7 : (active1) -http://www.gildan-indonesia.com/js/prototype/prototype.js
(active) - the library was also found to be active by running code
1 vulnerable library detected

Further insecurity: https://observatory.mozilla.org/analyze.html?host=gildan-indonesia.com

Cloaking detected: http://isithacked.com/check/www.gildan-indonesia.com%2F
for -www.gildan-indonesia.com/media/magehouse/slider.js

polonus

The likely candidates on that list were all reported to Google Safe Browsing by security expert, Willem de Groot.
I did not check them all, but here is another one where cloaking is being detected, meaning the site appears differently to Google and Googlebot.

Re: http://isithacked.com/check/www.jomso.com - > see the scripts where Redleg’s File Viewer found potential issues: -https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.jomso.com&ref_sel=GSP2&ua_sel=ff&fs=1
Do not open that above broken fileviewer link unless you know what to do with it (pol).

3 vulnerable libraries to be retired: http://retire.insecurity.today/#!/scan/14c46d1748a578c7a5994e08c515b44c0d2a4faff623b80ac408c3e14bdc03cf
The code that was alerted for starts at line 1509: : info on - Magento sites labeled “this site may be hacked. or This site may harm your computer.”.
And as we see with this hack it comes heavily obfuscated. jsunpack

line:4: SyntaxError: missing ; before statement:
error: line:4: Note: This block of obfuscated script looks suspicious.

And yes dear, forum friends, it is being missed by many a scan: https://sitecheck.sucuri.net/results/www.jomso.com

But are your personal data safe at that webshop site. I really doubt it. Lack of monitoring may make things even worse.

polonus (volunteer website security analyst and website error-hunter)

This seems the solution to this form of online skimming fraud, and rotating CVV code should be brought in by financial institutions a.s.a.p., read:
http://www.thememo.com/2016/09/27/oberthur-technologies-societe-generale-groupe-bpce-bank-this-high-tech-card-is-being-rolled-out-by-french-banks-to-eliminate-fraud/

Damian

Just to demonstrate we have similar patterns here and same junks of heavily obfuscated suspicious javascript, we checked here:
http://isithacked.com/check/shop.bjork.com
And again cloaking detected. There is a difference of 60802 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot.

And here we will find all of it reported and analysed: -https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fshop.bjork.com&ref_sel=GSP2&ua_sel=ff&fs=1 Do not open the previous blocked link if you do not know what to do with Redleg’s file viewer. (polonus).

The scan found some potential problems in the code, this should pop you down to the line. Where the obfuscated script resides damaging Magento.
on
line 58:
on
line 60:
on
line 62:
on
line 64:
and on
line 65:

polonus

This was the most disturbing news of that whole criminal skimming scheme:
See: https://gwillem.github.io/2016/10/04/how-republicans-send-your-credit-card-to-russia/

Willem de Groot’s report of mentioned abuse only met with deafening silence.
I also missed it being reported by MSM :o

More background info: https://www.riskiq.com/blog/labs/magecart-keylogger-injection/

polonus

What to do under the given circumstances with a vulnerable Magento webshop website?

I checked a high risk site against three scanners.

1. Fetch: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Feverstylish.com&useragent=Fetch+useragent&accept_encoding=

2. Redleg’s File viewer scan: -https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Feverstylish.com&ref_sel=GSP2&ua_sel=ff&fs=1
   And found a big junk of obfuscated script towards the end of the source page.
   Re: https://www.hybrid-analysis.com/sample/8632db958d3d24a21551e80597ccc5672c924794407d973795dd3519339a3330?environmentId=100

3. Here I found the site has not applied various Magento security patches, and so is vulnerable: https://www.magereport.com/scan/?s=http://everstylish.com/ It is on an unprotected importer and has unprotected developer files.

I advise Magento shop website owners to do a free scan against MageReport (3.).
It will certainly make you aware of your present (in)security situation.

polonus (website security analyst and website error-hunter)

Update: From the Willem de G. list 176 webshop websites were found by F-Secure to be really malicious.
But the number of insecure vulnerable Magento websites are considerate.
Let us look at another example.
A scan at MageReport: https://www.magereport.com/scan/?s=https://en.titoloshop.com/
detected 2 vulnerabilities. The admin/downloader is unprotected, and should be protected through installing hypernode emergency filter.
Also security patch 9788 risk rating High against admin account hack vulnerability was not being installed.

Then we have other insecurity on the website. Excessive erver header info proliferation: nginx/1.10.1 with Comodo secure server CA.

Retirable code for the CloudFlare CDN tracking code & Googlecdn tracker. → : http://retire.insecurity.today/#!/scan/055e72954cffdb8a6aa0e8b8ca88afd4cc9139398a26f447a06e4c95194f4317

Risk rate 1 red out of 10: http://toolbar.netcraft.com/site_report?url=https://en.titoloshop.com

Script XSS-DOM insecurity working out on jQuery contact-form code: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fconnect.facebook.net%2Fen_US%2Ffbevents.js 5 sources, 8 sinks.

More security issues detected: https://observatory.mozilla.org/analyze.html?host=en.titoloshop.com

polonus