The fashion retailer Claire’s was recently a victim of a Magecart attack, according to an investigation by Sansec. During the last week of April, malicious JavaScript code was added to the online stores of Claire’s and its subsidiary company, Icing. The malicious code was responsible for skimming customer information during checkout and was live until June 13th. No cause has been identified yet, though Sansec lists leaked credentials, spear phishing and a compromised network as possible ways a threat actor may have gained access to modify the sites.
Analyst Notes
Analyst Notes: Any customers who entered details into a checkout on either Claire’s or Icing online stores should keep a close eye on their bank statements for unfamiliar charges. Stolen credit cards are not always used immediately, so regularly checking bank statements is a good habit to get into. It is important to note that a customer does not always need to complete checkout for Magecart-style attacks to be successful. Site administrators should consider File Integrity Monitoring (FIM) solutions to monitor webroot directories. With FIM, administrators can be alerted to any file modifications that may happen in monitored directories, quickly putting a stop to these types of attacks. It is also important to monitor scripts hosted on third-party servers for modifications or use a sandbox technology that prevents third-party scripts from unauthorized actions such as stealing user input in form fields. Finally, monitoring workstations and servers for unusual behavior can provide early warning when attackers gain control of systems and allow security personnel to respond by cutting off the attacker’s access.
Source: https://sansec.io/research/magecart-corona-lockdown
