Magecart Attackers Target Retail Brands Under Lockdown

Magecart attackers have been busy again, installing digital skimming code onto the websites of several popular retailers over recent weeks.

The first brand affected was US accessories provider Claire’s. Security company Sansec spotted an unknown third party registering the “claires-assets” domain back in March, just after the chain decided to shut all of its stores.

“For the next four weeks, Sansec did not observe suspicious activity, but in the last week of April, malicious code was added to the online stores of Claire’s and its sister brand Icing,” it continued.

“The injected code would intercept any customer information that was entered during checkout, and send it to the claires-assets.com server. The malware was present until June 13.”

Unlike many Magecart efforts which compromise sites by attacking their digital supply chain partners, this was a direct attack with the hackers gaining write access to code.

However, the root cause of the compromise is not yet known: Sansec hypothesized that leaked admin credentials, spear-phishing of staff and/or a compromised internal network may have been to blame.

The firm responded quickly to Sansec’s private disclosure of the incident, and urged online shoppers to monitor their bank statements.

“Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process,” it said in a statement sent to Sansec.

“We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue.”

Also on Monday, security firm ESET warned that online shoppers in the Balkans may have had their card details stolen from Intersport stores. It claimed that the popular sports retailer fixed the issue “within several hours” after the firm sounded the alarm. Consumers in Croatia, Serbia, Slovenia, Montenegro and Bosnia and Herzegovina were affected.

Worryingly for the brands affected, research from SiteLock late last year found that a third of consumers never again shop with a retailer their information is stolen from.

What’s Hot on Infosecurity Magazine?