MDcomputers *seems* to be infected by a Card Skimmer script

whitestar_999

Super Moderator
Staff member
Credit: @SaiyanGoku
It seems that mdcomputers site has been compromised so don't make any purchase for now from there & change any passoword you used on their site which you also use on other sites because most probably your email & password details along with name/address details are also leaked.

Source:
First of all, I'm not a Cybersecurity expert so maybe I'm missing something in which case, I'm open to corrections however unfortunately it appears that MDcomputers has been infected by a Card Skimmer. Here's a detailed account of everything.
Story -
I was visiting mdcomputers(dot)in and I noticed that Kaspersky was blocking a Java Script from a URL "googletegmanager", curiously I googled about it and found that there is one legitimate Analytical tool called "googleTAGmanager" however the one Kaspersky was blocking was "googleTEGmanager". Already one red flag as the script is trying to disguise itself as a authentic Google tool.
Using urlscan.io to crawl through mdcomputers website (result linked below) and going to the HTTP tab of the result, I found that the suspicious link was from a Ukrainian IP which was NOT registered under Google, meanwhile the legitimate "googleTAGmanager" was from a German IP and it was registered under Google (see screenshot #1), what's more is that clicking on "Show Response" is also getting blocked by Kaspersky as it detects it as a Trojan (see screenshot #2) but that should the Card Skimmer's script, I'm not wiling enough to disable my Security software to download and open the script as I don't have sandbox environment but feel free to do so yourself if you know what you're doing.
Now to be 100% sure that automated website crawler wasn't also spitting out a false positive like Kaspersky, I visited Mdcomputers website, opened the Console and searched for the suspicious "googleTEGmanager". Lo and behold, there it was (see screenshot #3). Also, I looked up the domain by VirusTotal and found that at least 4 engines detect it as a malware as of writing this post (linked below).
An even bigger smoking gun is that a Cybersecurity firm posted a step-by-step investigation of Card Skimmers (which I followed for this investigation) appears to use "googleTEGmanager" as an example in their investigation for card skimmers and it appears to target online stores to steal Card information. The report is linked below.
Conclusion - Again, I'm not a Cybersecurity expert, far from it but the evidence is hard to ignore and it appears that MDcomputers is indeed infected by this malicious script. This development appears to be recent though as I remember visiting MDcomputers on 21-05-2020 or 22-05-2020 and Kaspersky didn't find any such malware back then. I have already contacted MDcomputers about this and awaiting their reply.
URLscan
VirusTotal lookup
Cybersecurity firm's guide (pdf)
Screenshot album

@Desmond David @omega44-xt @Nerevarine @billubakra @shreeux @theterminator

Edit: Update 1
23-05-2020 - Now visiting Mdcomputers website doesn't trigger my Kaspersky anymore. I've checked the website and the malicious script from "googleTEGmanager" isn't loading up anymore and while MDcomputers have yet to issue and official statement or reply to my messages or mails, they seem to have replied to a user who linked this Reddit post (see ) and they are saying there is no threat on the website. While that maybe true as of right now, the urlscan.io result that I linked above in the original post yesterday clearly shows that the malicious script WAS on Mdcomputers website. I'd still not recommend anyone buying anything from there till they issue an official statement on this and fix whatever vulnerability that the script used to get into Mdcomputers.
 
Last edited:

Desmond

Destroy Erase Improve
Staff member
Admin
Someone should inform MDComputers, perhaps they are not aware of it.

Sent from my GM1911 using Tapatalk
 

mayurthemad01

Journeyman
I also got the "googleTEGmanager" while browsing there website to buy ssd and my Malwarebytes blocked it everytime.

Sent from my ONEPLUS A3003 using Tapatalk
 

Zangetsu

I am the master of my Fate.
They should officially declare the breach, otherwise they will lose customers trust.

They were also hacked in 2018 as per above reddit posts
 
Top Bottom