The ShippingPass pilot program launched last year and offers free shipping on all orders.
The criminals snagged credit card and bank account numbers.
Hackers this spring uncovered security holes in web sites around the world. They then used those vulnerabilities to inject malicious code onto those sites. When a consumer visited a compromised site, his computer automatically downloaded malware that stole private information stored on their computers.
“The user did not need to take any action for this to happen,” says Yuval Ben-Itzhak, senior vice president of engineering at computer security firm AVG Technologies. The download happens, he says, just by visiting a compromised web site.
From the time AVG uncovered the infections, until it publicly released a report on the threat this month, the criminals had abandoned their attack, but not before lifting information including credit card and bank account numbers and passwords to e-mail accounts and social networking sites from an estimated 55,000 computers.
Ben-Itzhak says at least one e-commerce site was among those exploited. However, it is unclear whether the malware stole any secure data from that site.
AVG named the botnet—a piece of malicious software that runs automatically on computers it infects—Mumba when it uncovered the threat in July. It believes the botnet was created by the Avalanche Group, which is known in security circles for launching phishing campaigns and malware. The term botnet is also often used to describe a network of captive computers that hackers use to mount attacks, but in this case each computer is infected when it visits the infected site.
AVG says e-commerce sites and consumers can take actions to help protect themselves from the attack. Web sites should make sure data are encrypted in the database that stores them.