A Magecart credit-card skimmer was used to attack online customers of the retailer Claire’s for a month and a half, according to researchers.
Claire’s – a purveyor of jewelry and accessories – closed its 3,000 physical retail locations worldwide on March 20, in the wake of the COVID-19 pandemic. An analysis from the Sansec Threat Research Team shows that a Magecart group saw an opportunity to harvest payment-card data in the closures – likely assuming that online sales activity would ramp up with no brick-and-mortar outlets available to shoppers.
“Following common Magecart malpractice, payment skimmers were injected and used to steal customer data and cards,” according to Sansec.
Magecart is an umbrella term encompassing several different threat groups who typically use the same modus operandi. They compromise websites typically by exploiting vulnerabilities or otherwise compromising in third-party eCommerce platforms, in order to inject card-skimming scripts on checkout pages. Magento-based hacks are seen most often, but Magecart also attacks other platforms, including Opencart, BigCommerce, Prestashop and Salesforce.
At Virus Bulletin last October, researchers at RiskIQ said that Magecart is now so ubiquitous that its infrastructure is flooding the internet. There are at least 570+ known command-and-control (C2) domains for the group, with close to 10,000 hosts actively loading those domains, researchers said.
In this case, Sansec telemetry picked up malicious code being injected into the Claire’s official eCommerce website (and that of its sister store, Icing), starting in late April. The malware persisted until this weekend, when it was removed on June 13.
Specifically, code was added to the online check-out pages for the stores, and linked to the “Submit” button that shoppers use to submit their payment information. To hook up with the Submit function, the malware was added to the app.min.js file, which is a legitimate file hosted on the store servers.
When a user clicked the button, the injected code would intercept all customer information that was entered during checkout, render it as an image, encode it with base64, and send it off to a special collection website controlled by the attackers, “claires-assets[dot]com.”
“This approach uses image exfiltration (which is often not monitored by security systems) and uses a U.S.-based collection server, which is rare for this type of attack,” Sansec founder Willem de Groot told Threatpost. “I suspect that the collection server will be confiscated by U.S. law enforcement shortly.”
On the technical front, “A temporary image is added to the DOM with the __preloader identifier,” according to the Sansec analysis, released on Monday. “The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”
Claire’s runs on the Salesforce Commerce Cloud, previously known as Demandware, which is a hosted eCommerce platform, according to researchers. While Sansec doesn’t have insight into how the website was initially compromised, any of the usual suspects could have been a factor. Those could include leaked admin credentials, spearphishing of Claire’s employees or a compromised internal network.
Sansec also pointed out that it’s unlikely that a vulnerability in the Salesforce platform itself was exploited, given that the skimmer was injected directly into code hosted on Claire’s servers.
“So, there is no ‘supply-chain attack’ involved, and attackers have actually gained write access to the store code,” researchers said. “It is unlikely that the Salesforce platform got breached or that Salesforce is responsible for this incident.”
Also, the claires-assets[dot]com collection website was set up on March 21, a day after the Claire’s retail stores closed. Yet activity didn’t start until the last week in April — also suggesting that a known bug in Salesforce wasn’t the culprit. “The domain period between exfil domain registration and actual malware suggests that it took the attackers a good four weeks to gain access to the store,” according to the analysis.
That said, de Groot noted that “SaaS platforms like Salesforce, Shopify and BigCommerce have much better potential visibility into abuse of their platform, and increased ability to secure their customer base. While legally not culpable, one could argue that they could do more to scan or protect their stores.”
Sansec also said that Claire’s responded promptly when notified of the issue. The store issued a statement:
“Claire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform.”
It also said that it’s working on determining which of its customers were affected by the incident, so it can issue notifications. For it’s part, Sansec is unsure of the scope of the activity.
“Since the interception happened in real time in the browsers of customers, we have no visibility in the scope of the theft,” de Groot told Threatpost. “Claire’s obviously knows, but I doubt they want to share that info.”
Are you on top of the shifting insider threats within your business? On June 24 at 2 p.m. ET, join Threatpost and our panel of experts for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get exclusive insights on how remote working has increased the risk of insider threats, and how to gain visibility into employee behavior while striking the right balance between privacy and ease of use. Please register here for this Threatpost webinar.