The website of popular skin care brand First Aid Beauty has been hacked by the infamous Magecart group, which embedded digital card skimmers on the site to steal visitors’ payment-card information. The skimmers were undetected on the website for more than five months.
First Aid Beauty is an independent skin card brand that was acquired by Proctor & Gamble in 2018. With more than 89,689 monthly web visitors to First Aid Beauty’s website, the potential scope of the breach is wide. Researcher Willem de Groot told Threatpost that he discovered the skimmer on the website, which had been active since May 5. The skimmer was only just removed on Friday after several attempts to contact Proctor & Gamble.
Digital card skimmers, which are scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites, are a favorite of groups under the Magecart umbrella. A de-obfuscated version of the Magecart skimmer code used on the First Aid Beauty website shows that it looks for website visitors’ credit card numbers, credit card owner name, expiration date and CVV number.
Interestingly, the malware does not activate for non-U.S. visitors or visitors who are running Linux, de Groot said – likely a defense mechanism to avoid security researchers: “Judging from the TTP, this is a smaller albeit relatively advanced actor,” de Groot told Threatpost. “I have not found this particular TTP in other cases, so it may be evolved practices or a new actor.”
De Groot said he notified FirstAidBeauty executives, and their support and social-media team, but no one responded; however, after tweeting about the incident on Friday, the Procter & Gamble incident response team quickly solved it.
Hacked: @ProcterGamble's https://t.co/qz62iHDazn has had a payment skimmer since May 5th. Fairly advanced: malware does not activate for non-US visitors, or if you run Linux (ie security researchers). pic.twitter.com/HAc7UunK5n
— gwillem (@gwillem) October 25, 2019
First Aid Beauty’s website is currently down, possibly as the company investigates the incident. Proctor & Gamble told Threatpost in a statement that First Aid Beauty’s e-commerce site software, hardware and data are separate and distinct from other Proctor & Gamble e-commerce sites, and “we have no indication at this time that any other Proctor & Gamble sites are impacted.”
“Consumer trust is fundamental to us, and we take data privacy very seriously. As soon as we learned about the compromise of the First Aid Beauty site, we moved quickly to take the site down and minimize the impact to our consumers,” a Proctor & Gamble spokesperson told Threatpost. “We are currently investigating the source of the malware and working to identify and notify those consumers who might have been impacted to ensure we provide them the necessary support.”
Magecart, in operation since 2015, is a collection of groups that have been blamed for an array of high-profile breaches – from Ticketmaster to British Airways. Skimmers be injected directly into websites (as is the case with First Aid Beauty), or through compromised third-party suppliers used by sites.
More recently, in August it was disclosed that more than 80 global eCommerce sites were actively compromised by Magecart groups, while a September report found that a faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotel.
The attack also comes as the FBI issued an alert about e-skimming last week, warning that small and medium-sized businesses and government agencies that take credit card payments online may be susceptible to Magecart attacks. De Groot for his part said that the cybercriminals continue to pose a significant threat to both websites and their visitors.
“Websites can protect against Magecart by running server-side malware and vulnerability detection software minimizing the amount of Javascript on their checkout pages and using SRI [Subresource Integrity; which makes sure that the files that web applications loads externally have not been replaced or tampered by a third-party] and CSP [Content Security Policy; which allows site owners to specify which domains the browser should consider trusted sources of scripts] technology to ensure integrity of third party Javascript assets,” he told Threatpost.