International retailer Claire’s, whose fashion accessories are popular with tweens and teenagers, was hit with a Magecart scheme that skimmed PPI, including credit card data, for nearly two months.
Discovered by researchers at security firm Sansec, the malware injection began on April 20 and stopped on June 13. The skimming began on March 20, the day after the retailers closed all its 3,000 stores. An anonymous party reserved the claires-assets.com URL that ultimately unleashed the attack, whose financial damage is unknown, on a server hosted on the Salesforce Commerce Cloud, previously known as Demandware.
On June 12, Sansec informed Claire’s of its discovery, and the retailer took immediate action to investigate and address the breach by removing the code and taking additional measures to reinforce the security of the e-commerce platform.
According to Sansec, it’s unlikely the Salesforce platform itself was breached or that Salesforce was responsible for Claire’s hacking.
Claire’s stated it is working diligently to determine the transactions that were involved so it can notify impacted individuals, and added that credit cards used in its retail stores were not affected by the attack, which the retailer notified payment card networks and law enforcement.
The scheme unfolded as a preloader skimmer attached itself to the otherwise legitimate app.min.js file hosted on the retailer’s servers. Consequently, attackers gained write access to the store code because no “Supply Chain Attack” had been involved.
The skimmer then attached a submit button to the checkout form. Upon clicking, the full “Demandware Checkout Form” is grabbed, serialized and base64 encoded.
A temporary image was added to the DOM with the __preloader identifier with the image located on the attacker’s server. Since all the customer-submitted data was appended to the image address, the attacker received the full payload and the image element was removed. Sansec suspects that attackers deliberately chosen an image file for exfiltration, because image requests are not always monitored by security systems.
The timeline between the exfil domain registration and malware installation suggests that it took the attackers four weeks to gain access to the store.