Magecart hackers have struck again. This time, hackers planted credit card-skimming malware on the websites of Claire’s and Intersport- both among the world’s largest retail chains, possibly stealing personal information of hundreds of thousands of online shoppers.
On Monday, security firm Sanguine Security revealed that Magecart hackers inserted malicious code into the online store of Claire’s that exfiltrated data from the retail giant’s checkout page to a server associated with the domain claires-assets.com.
The domain claires-assets.com was set up on 21st March, just a day after Claire’s closed all of its 3000 brick & mortar stores worldwide. Sanguine believes that the domain was set up to exploit the rise in online sales due to Covid-19-related shutdowns.
Researchers at Sanguine observed that the malicious code appeared on Claire’s checkout page on 25th April and persisted until Friday, 13th June when Claire’s removed it from their website. The retail giant admitted that the malware exfiltrated payment card information from its e-commerce website but assured customers that cards used in retail stores were not affected by the issue.
“Claire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process,” the company said in a statement issued on Monday.
“We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue.
“We have also notified the payment card networks and law enforcement. It is always advisable for cardholders to monitor their account statements for unauthorized charges. The payment card network rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported,” it added.
Magecart hackers struck Intersport’s website twice, exfiltrated customer data
During the last week of April, Magecart hackers also targeted sporting goods retailer Intersport, injecting malicious code into the checkout page of the retailer’s e-commerce website. Even though the malicious code was initially detected and removed on 3rd May, the malicious code was injected into the same website again on 14th May and persisted there until it was removed.
Both Claire’s and Intersport have not revealed the number of customers affected by the Magecart attacks or the nature of the information that was exfiltrated by the malware into servers managed by the hackers.
“Data skimming attacks like these underscore the need for online shoppers to remain ever vigilant. I strongly recommend all online shoppers to pay close attention to their monthly statements, monitoring them for suspicious charges. Users should also set up alerts on their credit and debit cards when available, and invest in credit monitoring, which will alert you to skimming incidents like these, as well as more traditional data breaches,” said Chris Hauk, Consumer Privacy Champion at Pixel Privacy.
Paul Bischoff, Privacy Advocate at Comparitech.com, said that web skimming attacks like these are particularly effective because victims have no way of knowing that the store pages are infected. Unlike phishing attacks or malware targeting end-users, card skimming attacks often can’t be detected and leave no trace of evidence on the victim’s device.
“From a customer’s perspective, the checkout process looks and functions like it would if it were not infected. Only the website operator can remove Magecart malware. For the attacker, web skimming has the added benefit of ensuring that all of the stolen customer data is valid and up to date, which is often not the case with data breaches in which stolen information can be months or years old,” he added.