Researchers at Check Point recently discovered that criminals have a new way to trick merry online shoppers via the popular AliExpress shopping portal.
With more than 100-million customers and $23-billion in revenue worldwide, AliExpress, part of the AliBaba Group, is one of the most popular places to shop online.
When they discovering the vulnerability, Check Point Researchers informed AliExpress and it was fixed within two days.
The new vulnerability allows criminals to target AliExpress users by sending them a link to an AliExpress web page containing malicious Javascript code. Upon opening the page, the code is executed in the user’s web browser and thereby bypasses AliExpress’s protection against cross-site scripting attacks by using an open redirect vulnerability on the web site.
Theoretically, cyber criminals could initiate this attack through an email phishing campaign, leveraging AliExpress’s regular customer journey with barely any indication to the user that anything unusual or untoward is happening. Hence, it is unlikely the user would smell anything ‘phishy’ at all.
The attackers could then present a pop-up coupon offer on the home screen – running under an AliExpress owned subdomain – asking customers to provide credit card details to allow for a smoother and more efficient shopping experience.
The attackers, however, are solely controlling this pop-up window with all credit card details entered sent directly to them rather than the shopping site.