The website of international retail chain Claire’s was compromised by Macegart hackers for weeks amid an increase in overall online shopping due to the coronavirus pandemic, Sansec reports.
The attack appears to have been set up on March 21, the day after Claire’s closed its 3,000 brick-and-mortar stores due to restrictions imposed worldwide as the number of new COVID-19 cases started spiking.
On that day, Netherlands-based eCommerce security company Sansec explains, the attackers registered the domain claires-assets.com, in preparation for the planned malicious activity.
The hackers injected malicious code not only into the fashion retailer’s website, but also the online store of its sister brand Icing. The affected online stores are hosted on the eCommerce platform Salesforce Commerce Cloud, previously known as Demandware.
The injected code was designed to intercept the information customers entered during checkout, and send the data to the claires-assets.com server.
Added to the app.min.js file, which was hosted on the store servers, meaning that the attackers gained write access to the server, the web skimmer remained active until June 13. The code was attached to the submit button of the checkout form.
The skimmer was designed to grab the entire checkout form, encode it, and exfiltrate the data posing as an image file, supposedly in an attempt to avoid detection.
While it’s uncertain how the attackers managed to compromise the online stores in the first place, it’s clear that they anticipated a surge in online traffic following the lockdown. Moreover, Sansec believes that the hackers might have spent 4 weeks trying to gain access to the websites.
After discovering the compromise, Sansec notified Claire’s, which confirmed that the web skimmer code was injected into their eCommerce platform to steal customer payment card data. The malicious code was removed and both payment card networks and law enforcement were notified.
At the end of April, Magecart hackers also managed to compromise several online stores of sportswear retailer Intersport. According to ESET, which identified the intrusion, the company’s sites in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina were compromised.
Replying to ESET, Sensec revealed that Intersport was initially compromised on April 30, that it cleared the infection on May 3, but got hacked again on May 14. This, the company points out, is a recurring issue, with around 20% of merchants being re-infected after a breach, typically within 2 weeks.
“The most noteworthy here is that the Intersport site got breached, remained breached for a few days, recovered and then got breached again,” Martin Jartelius, CSO at Outpost24, said in an emailed comment.
“This is a behavior we have also observed during some Red Team engagements, where monitoring and operations may be in place to recover from unexpected events, but there is a hiccup in the process and security is not brought in. In some cases operators have been able to reuse the same system for repeated entry into organizations. This is a case of working detection but broken recovery, and at best, we as a community can gain from this if others look at this and learn. If there is an unexpected change, and you recover from it – ensure to find out why the unexpected change occurred,” Jartelius continued.