Threat actors have hacked the websites of the U.S. based jewelry and accessory giant Claire’s, and its subsidiary Icing, the security breach took place in April and attackers may have gained access to customer’s credit cards.
Claire’s is an American retailer of accessories, jewelry, and toys primarily aimed toward girls, tweens and teens, it has over 2,000 locations in North America and Europe, and 6,794 concession locations and 546 franchised stores in other regions.
Researchers from cybersecurity firm Sansec reported that the company’s website was the victim of a Magecart attack.
Hackers compromised the website injecting a malicious script in multiple sections to steal payment card data submitted by users while purchasing products from the site.
Threat actors attempted to benefits of the increase of the online purchases due to the lockdown in response to the COVID-19 pandemic.
Attackers created a domain named ‘claires-assets.com’ as part or the Magecart attack. The domain remained inactive since April, between April 25 and 30 the attackers compromised the official Claire’s website and injected a malicious script into the claires.com, and their subsidiary icing.com, websites.
“Claire’s, a fashion retailer, closed all of its 3000 brick & mortar stores worldwide on March 20th. The next day, the domain claires-assets.com was registered by an anonymous party:” reads the report published by Sansec.
“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on Salesforce servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the server running the store,”
This malicious script waits for a customer to check out and then attempts to steal their payment information by sending it as arguments to an image URL on https://claires-assets.com/, which belongs to the attackers.
The e-skimmer was added to the submit button of the checkout form. Upon clicking the button, the full “Demandware Checkout Form” is grabbed, serialized and base64 encoded. Stolen data are sent as arguments to a temporary image URL on https://claires-assets.com/, which is the website set up by the attackers.
Sansec researchers shared their findings with Claire’s IT staff that removed the software skimmer on Saturday.
Customers who made purchases on Claire’s website between April 25th and April 30th, should contact their credit card company and monitor statements for fraudulent purchases.
(SecurityAffairs – Claire’s, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.