A Magecart credit card skimmer scheme used on Canadian fitness equipment retailer Fitness Depot's e-commerce system Feb. 18 affected an undisclosed number of customers requesting either at-home delivery or in-store pickup at one of the company's 40 stores.
A bogus form placed on the Fitness Depot website managed to capture names, addresses, email addresses, telephone numbers and credit-card numbers used in the transactions, which are processed are through PayPal.
“Once our customers were redirected to this form the customer information was copied without the authorization or knowledge of Fitness Depot,” the retailer stated in a breach notification letter and apology to potential victims, adding that upon learning of the hack March 20, it immediately shut down this service and launched an investigation.
The incident is the latest in what has become an all-too-familiar refrain.
Ameet Naik, security evangelist at PerimeterX, provided the following comments:
“The attackers in this case redirected users to a fake checkout page that was completely controlled by the malicious party," said Ameet Naik, security evangelist at PerimeterX. "This is a common technique seen in Magecart attacks where the attackers are able to completely bypass all security controls present on the legitimate website, such as CSP or iframes."
Based on its preliminary findings, Fitness Depot said it appears its Internet Service Provider neglected to activate the anti-virus software on its account.
"Businesses need to ensure they adequately protect their web infrastructure and don’t rely on their ISP for this," said Naik, adding that "consumers shopping online need to be on the alert for errors during the checkout process, which could indicate a compromise.”