thodonal - stock.adobe.com

Accessories store Claire’s hit by Magecart credit card fraudsters

Attackers gained access to retailer’s website as long ago as March

US-based jewellery and accessories retailer Claire’s, a fixture on UK high streets, has taken action to remove a Magecart credit card skimmer from its website, which appears to have been hacked back in March to take advantage of the closure of its bricks-and-mortar stores amid the Covid-19 coronavirus pandemic.

The firm shuttered its physical presence around the world on 20 March, and within 24 hours, a malicious domain, claires-assets.com, had been registered by an anonymous actor, according to threat researchers at Sansec, who first discovered the breach.

Over the next four weeks, the domain lay dormant, but at some point between 25 and 30 April, a sequence of malicious code was injected into the Claire’s online store, as well as that of its sister brand, Icing, to intercept customer information entered at checkout and redirected it to the fake server.

Sansec found that the Magecart skimmer was added to an otherwise legitimate app hosted on Claire’s own servers, so there was, in this case, no element of a supply chain attack, suggesting that the attackers had gained write access to the website’s code.

“The timeline may indicate that attackers anticipated a surge in online traffic following the lockdown,” said Sansec’s researchers in a disclosure blog post. “The period between exfil domain registration and actual malware suggests that it took the attackers a good four weeks to gain access to the store.”

Sansec added that Claire’s is hosted on Salesforce’s Commerce Cloud, which serves a great many large retailers, but said it was highly unlikely that the Salesforce platform had been breached.

“The actual root cause is, as yet, unknown,” it said. “Possible causes are leaked admin credentials, spearphishing of staff members and/or a compromised internal network.”

In this case, the skimmer was attached to the submit button on Claire’s checkout form and, if clicked, it grabbed the full form, serialised it and encoded it, and then appended the customer data to the address of a temporary image file held on the malicious server. This is a not uncommon exfiltration technique as image requests are not always monitored by security systems, said Sansec.

A Claire’s spokesperson said: “Claire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorised insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process.

Read more about Magecart

  • Cyber criminals are exploiting misconfigured AWS S3 buckets to run credit card fraud and malvertising campaigns, according to new data.
  • RiskIQ researchers have observed a sharp uptick in Magecart credit card attacks, driven by increased traffic to online retailers during the coronavirus pandemic.
  • Three alleged cyber criminals suspected of being associated with Magecart were arrested in Indonesia via an Interpol-assisted operation called Operation Night Fury.

“We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue.

“We have also notified the payment card networks and law enforcement. It is always advisable for cardholders to monitor their account statements for unauthorised charges. The payment card network rules generally provide that cardholders are not responsible for unauthorised charges that are timely reported.”

Raif Mehment, EMEA vice-president at cloud security firm Bitglass, said: “Payment card-skimming malware continues to be a security challenge for retailers around the globe. British Airways, Newegg, and now Claire’s have all been victims of Magecart’s malware, highlighting the need for security solutions which monitor for vulnerabilities and threats, across all devices and applications, in real time.

“With these capabilities, retailers can be proactive in detecting and thwarting breaches before they happen, ensuring that their customers’ sensitive information is protected.”

More details of the attack on Claire’s can be read at Sansec’s website.

Read more on Data breach incident management and recovery