Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.
The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.
The skimmer was served from a domain made to look like it might belong to the company (claires-assets.com), and it was added to the two online stores between April 25th and 30th.
“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the researchers pointed out.
“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”
How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it. In fact, they registered the malicious domain a day after Claire’s announced that they will be temporarily close all of their brick and mortar stores due to COVID-19.
ESET researchers have pointed out the compromise of Intersport’s web store and said that the company fixed the issue within several hours of ESET letting them know.
Sansec researchers say that an initial hack happened on Apr 30th and then another one on May 14th:
Intersport stores got hacked on Apr 30th, cleaned on May 3rd, then hacked again on May 14th. pic.twitter.com/RabcjPzzWd
— Sansec (@sansecio) June 15, 2020
Only the localized Intersport web shops serving customers from the Balkans region have been compromised.
It is still unknown how long the skimmers went unnoticed.
None of the compromised web shops sport a prominent notification about the breach and payment card info theft. Claire’s notified the payment card networks and law enforcement, and let’s hope they will contact affected customers directly once they determine the extent of the compromise and theft.
Companies should have protections in place to notice this and other types of breaches soon after they happen, but unfortunately many don’t.
If you’re paying for your purchases with payment cards – whether online or in physical stores – you should regularly check your account statements for unauthorized charges and report them quickly.
UPDATE: June 17, 2020 – 8:20 AM ET
Intersport reached out to Help Net Security with the following comment: “In this hacking attack, a code was installed on our websites with purpose to scan payment card data. Intersport reacted immediately upon discovery and the suspicious code was removed. No payment card information was intercepted, as online card payments are processed through the independent WSPay payment platform, which was not affected by the malicious code.”