It’s time to check your credit card statements. More than 5,900 online storefronts, including the National Republican Senatorial Committee (NRSC), which helps fundraise for Republican Senate candidates, were compromised in a hack this year. Dutch researcher Willem de Groot uncovered the suspicious code, which collects credit card data and passes it along to a Russian-language ISP. From there, it’s likely your credit card numbers are sold off to the highest bidder.
The hack caught web stores in the same way viruses and malware catch us: by exploiting known security vulnerabilities or guessing easy passwords. Once into the system, hackers avoided making changes that might be noticed, and instead added code the stores’ checkout pages that looked legitimate. And, again, just like hackers trick us, these hackers tricked retailers by sending data to addresses that appeared to be associated with ecommerce but were a character or two off from the actual address. While we know how easy it is for us to make these security mistakes, we expect retailers to do better.
There’s no evidence that this hack was political, like the hacking of Democratic National Committee emails. Instead, this attack solidly attacks the average person who just wants to buy a bumper sticker or make a donation.
The malicious code has been removed from the NRSC site, but it was active from March 2016 through October 5, giving hackers six months to collect financial information from contributors. It’s impossible to know for certain, but based on traffic to the NRSC site, de Groot estimates the hackers might have taken as many as 3,500 credit card numbers per month, for a total of 21,000 stolen since March. And as to how many cards may have been taken from the other 5,900 compromised sites? It’s impossible to say.
Unfortunately, the problem is far from over. Though the compromised sites have been made aware of the problem, only a small portion have removed the hack. According to de Groot’s latest scan, 340 of the original 5,900 have been fixed, while he found 170 newly compromised sites. (Here’s the list of compromised sites as of 10/14/16)
So how can you keep yourself safe? The most important thing to do is check your credit card statements. If you see any activity that you didn’t authorize, contact your financial institution immediately.
Secondly, and this really should go without saying at this point, use an anti-malware program that protects your PC or Mac against infected sites. A quick using our 2015 top pick, Bitdefender, shows that they are already blocking the affected sites. On top of that, make sure you’re shopping with large, known retailers online. While some reputable stores were caught by this exploit, they were also the ones who took prompt action to correct it.