Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Hackers Hit Claire’s, Intersport

The website of international retail chain Claire’s was compromised by Macegart hackers for weeks amid an increase in overall online shopping due to the coronavirus pandemic, Sansec reports.

The website of international retail chain Claire’s was compromised by Macegart hackers for weeks amid an increase in overall online shopping due to the coronavirus pandemic, Sansec reports.

The attack appears to have been set up on March 21, the day after Claire’s closed its 3,000 brick-and-mortar stores due to restrictions imposed worldwide as the number of new COVID-19 cases started spiking.

On that day, Netherlands-based eCommerce security company Sansec explains, the attackers registered the domain, in preparation for the planned malicious activity.

The hackers injected malicious code not only into the fashion retailer’s website, but also the online store of its sister brand Icing. The affected online stores are hosted on the eCommerce platform Salesforce Commerce Cloud, previously known as Demandware.

The injected code was designed to intercept the information customers entered during checkout, and send the data to the server.

Added to the app.min.js file, which was hosted on the store servers, meaning that the attackers gained write access to the server, the web skimmer remained active until June 13. The code was attached to the submit button of the checkout form.

The skimmer was designed to grab the entire checkout form, encode it, and exfiltrate the data posing as an image file, supposedly in an attempt to avoid detection.

While it’s uncertain how the attackers managed to compromise the online stores in the first place, it’s clear that they anticipated a surge in online traffic following the lockdown. Moreover, Sansec believes that the hackers might have spent 4 weeks trying to gain access to the websites.

After discovering the compromise, Sansec notified Claire’s, which confirmed that the web skimmer code was injected into their eCommerce platform to steal customer payment card data. The malicious code was removed and both payment card networks and law enforcement were notified.

At the end of April, Magecart hackers also managed to compromise several online stores of sportswear retailer Intersport. According to ESET, which identified the intrusion, the company’s sites in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina were compromised.

Replying to ESET, Sensec revealed that Intersport was initially compromised on April 30, that it cleared the infection on May 3, but got hacked again on May 14. This, the company points out, is a recurring issue, with around 20% of merchants being re-infected after a breach, typically within 2 weeks.

“The most noteworthy here is that the Intersport site got breached, remained breached for a few days, recovered and then got breached again,” Martin Jartelius, CSO at Outpost24, said in an emailed comment.

“This is a behavior we have also observed during some Red Team engagements, where monitoring and operations may be in place to recover from unexpected events, but there is a hiccup in the process and security is not brought in. In some cases operators have been able to reuse the same system for repeated entry into organizations. This is a case of working detection but broken recovery, and at best, we as a community can gain from this if others look at this and learn. If there is an unexpected change, and you recover from it – ensure to find out why the unexpected change occurred,” Jartelius continued.

Related: Magecart Hackers Continue Improving Skimmers

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.