Described in a Check Point blog post, the vulnerability allows criminals to target AliExpress users by sending them a link to an AliExpress web page containing malicious Javascript code. Upon opening the page, the code is executed in the user’s web browser and thereby bypasses AliExpress’s protection against cross-site scripting attacks.
Check Point says that cyber criminals could initiate such an attack through an email phishing campaign, without arousing suspicion from the victims. The attackers could then present a popup coupon offer on the home screen – running under an AliExpress owned subdomain – asking customers to provide credit card details to allow for a smoother and more efficient shopping experience. The attackers would receive all credit card details entered, rather than the shopping site.
With more than 100 million customers and US$23 billion in revenue worldwide, AliExpress, part of the Alibaba Group, is a popular e-commmerce destination. Check Point recommends that shoppers remain vigilant, especially during the year-end shopping season.
No comments:
Post a Comment