Fashion retailer chain Claire’s is the latest victim of a Magecart payment attack.
Security researchers with Sansec say after Claire’s was forced to close physical locations due to the pandemic in late March, the domain claires-assets.com was registered by an anonymous party and eventually used to steal information.
“Following common Magecart malpractice, payment skimmers were injected and used to steal customer data and cards,” Sansec researchers noted in a noted in a blog post on the attack.
Initially the researchers did not observe suspicious activity, but in the last week of April, malicious code was added to the online stores of Claire’s and its sister brand Icing. The injected code would intercept any customer information that was entered during checkout, and send it to the claires-assets.com server. The malware was present until June 13th, according to Sansec.
“The timeline may indicate that attackers anticipated
a surge in online traffic following the lockdown”
“The timeline may indicate that attackers anticipated a surge in online traffic following the lockdown,” Sansec said in the post. “The period between exfil domain registration and actual malware suggests that it took the attackers a good four weeks to gain access to the store. The actual root cause is as of yet unknown. Possible causes are leaked admin credentials, spearphishing of staff members and/or a compromised internal network.”
Sansec notified Claire’s and the retailer responded immediately.
“On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it,” said Claire’s officials in a statement. “Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.”