Online shops of retail giants Intersport and Claire’s have been found to be infected with Magecart’s payment card skimmers. These web skimmers are ideally designed to exfiltrate customers’ payment card data. The modus operandi of a Magecart attack is simple. First, the cybercriminals gain access into a company’s online store website by compromising and hiding malicious code in it and then collect the payment card information from users using this malicious code while they make online purchases on the infected website.
Sanguine Security reports that the online store of Claire’s and its sister brand Icing were attacked by Magecart handlers between April 25 and June 13. A domain named claires-assets.com, was registered around March-end, which remained dormant for the next four weeks and became active only in the last week of April. The fake domain looked like a legitimate Claire’s website and was used to deliver the card skimmer.
The researchers said, “The injected code would intercept any customer information that was entered during checkout and send it to the claires-assets.com server. The malware was present until June 13th. The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code.”
The Card Skimmer Modus Operandi
- The skimmer was placed on the submit button of the checkout form.
- On clicking this button, the entire ‘Demandware Checkout Form’ was first given a serial number and then encoded by base64 encoding.
- Further, a temporary image was added to the DOM with the __preloader identifier. This image is located on the server controlled by the cybercriminals.
- Since, the submitted data is appended to the image address, the attacker receives the full payload.
- On receipt, the image element is immediately removed to access and copy the payment card data.
The Intersport Story
Another similar type of attack was spotted by ESET researchers which targeted the Intersport website. This was a geotargeted web skimming attack as customers from Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina were specifically targeted.
Another greedy #Magecart campaign found be #ESETresearch – this time in Balkans. Crooks were trying to skim credit cards of #Intersport e-shoppers in #Croatia, #Serbia, #Slovenia, #Montenegro, #BosniaandHerzegovina. 🇭🇷 🇷🇸 🇸🇮 🇲🇪 🇧🇦 @OndrashMachula 1/2 pic.twitter.com/m7leaNcgQN
— ESET research (@ESETresearch) June 15, 2020
According to reports, the Intersport online stores were compromised on April 30. As good Samaritans, the researchers contacted the company about the card skimmer hack on their respective websites. As per the latest update, the companies have now removed the malicious code and are functioning safely.