New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Sophisticated way to steal card info - SVG Onload Tag
JohnFilch123
Member
in General
Very interesting read
https://sansec.io/research/svg-onload-magecart-skimmer
What is more interesting, they report it is hosted on Incognet @MannDude thoughts?
Comments
I asked Bleeping computer for a report of the hostnames in question. The IP is a DirectAdmin shared hosting server and we have zero reports in any relevant inboxes about this.
Would like to address it, but haven't seen enough information to review it from our side yet.
Edit: Finally, an article with hostnames. In the office now and reviewing.
All domains were under one account. Suspended.
I was alerted of this article ( https://www.bleepingcomputer.com/news/security/hackers-use-pixel-large-svg-trick-to-hide-credit-card-stealer/ ) yesterday, but had no relevant emails in any of our abuse channels. I've had a few keyword alerts via email (I get alerts for "IncogNET", "IncogNET LLC", etc as they're mentioned on the web) and from those articles hadn't seen the hostname(s), either. Just the IP / and our business name.
Still reviewing things from our end but the host names in question have been suspended.
Don't forget to give notice to bleepingcomputer.com that you had suspended them
I can't... Looks like I am blocked from viewing the article. If open a different browser where I'm not logged in, I can see it just fine. Unsure if they've blocked me or what.
When logged in, I just see, " You are not allowed to visit this community. " error message. When I open the same URL in a different browser, same IP as my logged in account, I see the article just fine.
Feel free to update them yourself if you've got an account.
I'm going to search all relevant inboxes now for "sansec" as well, see if perhaps something got caught in spam or overlooked by mistake. Previous searches for "PolyShell" had no results, and searching for the shared hosting IP in question was unrelated messages.
Oh, that was very fast. Thanks for reacting. As long as these guys are blocked this is fine.
You're probably visiting using your AS
https://web.archive.org/web/20260410004049/https://www.bleepingcomputer.com/about/
https://www.bleepingcomputer.com/news-tip/
For anonymous tips, you should use the Tor browser or you can contact us via Signal at (646) 961-3731.url : https://www.bleepingcomputer.com/contact/
Address
And probably get in touch with sansec as well.
https://sansec.io/contact
Already doing that.
I've checked:
Zero emails containing the keyword: "polyshell", "sansec", etc. So I'm curious if this was even reported to us and if so, where.
Shame...I guess these guys are concerned about posting rather than solving this. Personally, I have read about on another website and luckily they put references, so this is how I found the link.
More jobs for you
Oh yes, especially this shit website
I mean they are all just reposting.
Problem is they also mention shared hosting IP address and advise people to block it.
Typical I guess.
Never seen anyone asking people to block IP addresses of Hostinger or other big shared hostings.
At that scale, it will be called as
censorshipI guess upon review, the Bleeping Computers article that I was linked to did link to the same URL you posted, which did contain the hostnames in question.
The other couple articles I saw today from the Google keyword alerts did not have these, though.
But yeah... I responded to the original LET PM sent to me yesterday in 3 minutes and once I saw the hostnames was able to ID the account and suspend them all in a few minutes from this thread, so thanks.
Emailed sansec and messaged BleepingComputers on Signal. I'm going to consider this matter resolved for now.
And here I was wondering what people used shared hosting for anymore, well!
I guess we can't expect the internet full of reposters to contact IncogNET but a bit disappointing "sansec" didn't. Hopefully they attempted and it was a case of missed connections.
@MannDude consider adding meaningful Forward-confirmed reverse DNS for your shared hosting IP addresses to lower risk of security researchers treating your IP as safe to block without false-positives.
At least from what I can see, they (or anyone else) has not. They do sell a commercial scanning service so it's plausible that they'd rather find an issue and say they can protect against it as opposed to reporting it and getting it removed.
Done
UPDATE
SanSec confirmed via email that they never attempted to contact us.
I wonder what the notice to the affected stores looked like and if it contained a sales pitch and pricing for their tool...
Also, BleepingComputer unbanned my account and updated their article as well.
Did you manage to find out why it was banned in the first place?
Messaged them on Signal and was told he wasnt sure what happened with the ban. I'll check when back to my desk if I still am or not. Probably a misunderstanding or an automated action because I registered and immediately posted a comment on the article, from a VPN IP.
Would also be nice if they mentioned that at no point did the security researcher intend to disclose the issue with us directly, but I'm just happy to have them offline.
What's the point of writing an article and naming the hosting provider, but not reporting the domains to the hosting provider?
The original researcher runs a commercial e-commerce security and scanning tool it would appear.
If they notifiy and the issue is removed promptly, then they can't market their tool and say, "We can protect you from this."
I'm really curious what their emails to the affected stores looked like... finding the contact info and sending multiple emails to different people is a lot harder than
whois 23.137.249.67and contacting one of the emails shown or calling (and leaving a message) to our public phone number... I even updated our POCs shortly after I was originally notified to remove duplicate or old entries that may have had stuff go to our old abuse@ (but they didn't use any of them anyway. Just makes future reporting more straight forward)I can only assume this was a business decision on their part to not disclose.
Of course there's conflict of interest. If I may add, that also goes against journalism code of ethics.
shame they didn't mention honorable sansec not even attempting to contact the hosting company.
May need to revamp the ol' IncogBlog which I was going to "bring back" so i could respond to a different "researcher" in the past... https://blog.incognet.io
It's not actually linked from anywhere yet as I got lazy with it real quick.
Might not be a bad idea to document it someplace public just to keep the record straight but I'd keep it very dry and factual. Keep the high ground etc.
Sounds like
in-cock-blockNo AI generated visual depiction of an overweight and sweaty guy in front of a computer as the thumbnail?