Threat actors have hacked the websites of the U.S. based jewelry and accessory giant Claire’s, and its subsidiary Icing, the security breach took place in April and attackers may have gained access to customer’s credit cards.
Claire’s is an American retailer of accessories, jewelry, and toys primarily aimed toward girls, tweens and teens, it has over 2,000 locations in North America and Europe, and 6,794 concession locations and 546 franchised stores in other regions.
Researchers from cybersecurity firm Sansec reported that the company’s website was the victim of a Magecart attack.
Hackers compromised the website injecting a malicious script in multiple sections to steal payment card data submitted by users while purchasing products from the site.
Threat actors attempted to benefits of the increase of the online purchases due to the lockdown in response to the COVID-19 pandemic.
Attackers created a domain named ‘claires-assets.com’ as part or the Magecart attack. The domain remained inactive since April, between April 25 and 30 the attackers compromised the official Claire’s website and injected a malicious script into the claires.com, and their subsidiary icing.com, websites.
“Claire’s, a fashion retailer, closed all of its 3000 brick & mortar stores worldwide on March 20th. The next day, the domain claires-assets.com was registered by an anonymous party:” reads the report published by Sansec.
“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on Salesforce servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the server running the store,”
This malicious script waits for a customer to check out and then attempts to steal their payment information by sending it as arguments to an image URL on https://claires-assets.com/, which belongs to the attackers.
The e-skimmer was added to the submit button of the checkout form. Upon clicking the button, the full “Demandware Checkout Form” is grabbed, serialized and base64 encoded. Stolen data are sent as arguments to a temporary image URL on https://claires-assets.com/, which is the website set up by the attackers.
Sansec researchers shared their findings with Claire’s IT staff that removed the software skimmer on Saturday.
Customers who made purchases on Claire’s website between April 25th and April 30th, should contact their credit card company and monitor statements for fraudulent purchases.
(SecurityAffairs – Claire’s, hacking)