Inter sport, Claire’s and Icing online store were hit by web skimmers (Magecart attack) that hid malicious code that would record payment card details.
Inter sport, Claire’s and Icing online store were hit by web skimmers (Magecart attack) that hid malicious code that would record payment card details.
Claire’s stores is an American retailer chain primarily aimed towards girls, tweens and teens.
The stores were closed worldwide on March 20. According to Sanguine Security’s William the Claire’s and its sister, brand Icing was compromised between April 25 and 30 and for the next 4 weeks, no suspicious activity was observed.
“The injected code would intercept any customer information that was entered during checkout, and send it to the Claire’s-assets.com server,” wrote Sansec reporters.
Next day, the domain Claires-assets.com was registered by an anonymous gang. The malware was induced to the (otherwise legitimate) app.min.js file.
How does this work?
The skimmer is attached to the submit button of the check out form. As soon as the “ Demandware Checkout Form” is clicked, it is grabbed, serialised and base64 encoded and _preloader identifier adds a temporary image to the DM. The attacker is able to control the image on the server as the data submitted by the customers is appended to the image address.
“We suspect that attackers have deliberately chosen an image file for exfiltration, because image requests are not always monitored by security systems,” reads the post.
Claire and Icing customers who have shopped online during the time interval must keep an eye on their bank accounts for unauthorised transactions.
The malicious code was removed from the site once the company was notified.
An identical incident happened today by antivirus maker ESET, impacting the website of Intersport.
Intersport is an international sporting goods retailer having 5800 locations in 65 countries.
The local version of Intersport website was loaded with skimmer serving customers in Croatia, Serbia, Slovenia, Montenegro, Bosnia and Herzegovina.
“Intersport stores got hacked on April 30, cleaned on May 3rd, then hacked again on May 14th, ” said Groot. The malicious code was removed as soon as the company was notified.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.Y
You may be interested in reading: Private Zoom Video Recordings Exposed Online