Online store

Willem de Groot, a Dutch security expert, is asking owners of defunct or soon-to-be-dead online stores to donate their domains so he can set up honeypots and track credit card stealing malware and other types of cyber-attacks on e-commerce targets.

De Groot, who is also the co-founder of Byte.nl, a web hosting service, and founder of MageReport, a security scanner for Magento shops, says he needs store owners to donate their former domains because classic honeypots won't work against web malware, and in particular against variants targeting online stores.

Honeypots are servers that are configured to behave like various types of applications, but they also run monitoring software that logs any attempts to exploit security weaknesses.

E-commerce honeypots aren't always efficient

For online stores, setting up a honeypot server implies creating a store from scratch. This is useless, de Groot says, as the store won't have any search engine presence, and attackers could easily detect this.

De Groot says the solution to create better honeypots for detecting malware and cyber-attacks on online stores is by using older domains, some of which have been running for years, and are credible and juicy targets in the eyes of an attacker.

As such, the researcher is pleading former store owners to hand over their domains. He says he plans to migrate the domain to his own server, recreate the store's public template, but run a special backend that exposes a wide attack surface and log all attempts to exploit those flaws.

Researcher wants domains, not the whole stores

Speaking with Bleeping Computer, de Groot says he's not interested in specific e-commerce platforms, but only the domain.

"I am not targeting any specific software: the more, the better," de Groot said. "For the honeypot, only the front end (HTML etc) is required, so the backend is irrelevant."

De Groot's plan for his network of honeypots is to reduce the time needed to detect the source of attacks, which usually takes time, as webmasters need to sift through the logs of actual stores.

Data will be publicly available

The security expert hopes that his new network of honeypots will be able to quickly identify malicious IP ranges of criminal botnets, or help him discovered new attack methods.

The researcher plans to take the data recorded from via his honeypot's backend and make it available as a blacklist, for free.

"The blacklist will be available as a DNSBL," de Groot told Bleeping Computer, along with "ready to paste/include snippets for Nginx and Apache."

Store owners are willing to help

His plea seems to have struck a chord with at least some former store owners, who decided to help.

"Since yesterday, two sites were submitted, of which one is on a page rank 7 parent domain," de Groot told Bleeping. "In the last day, I've collected 200 brute force source IPs and logged ~5000 attacks on my honeypots."

"And I expect more to come, as agencies are now aware of the initiative," the researcher added, referring to web development agencies that often build and manage these stores.

Google: Number of hacked sites went up by 32%

De Groot announced his plan on the same day Google published its yearly report on website security. In it, Google said the number of hacked websites grew by 32% in 2016, compared to 2015.

"We don’t expect this trend to slow down," said the Google Webmasters team. "As hackers get more aggressive and more sites become outdated, hackers will continue to capitalize by infecting more sites."