The insidious Magecart threat group has struck again – this time hitting VisionDirect in a data breach that sucked up customer’s personal details and payment card information.
In a data-breach notice posted over the weekend, the popular European contact lenses merchant said that the breach occurred between Nov. 3 and 8 and that the “personal and financial details” of customers were compromised. That data includes full names, addresses, telephone numbers, email addresses, passwords and payment card data (card numbers, expiration dates and CVV numbers).
“The stolen data included personal and financial details of customers logging in and making changes on the VisionDirect.co.uk website,” the company said. “VisionDirect has taken the necessary steps to prevent any further data theft, the website is working normally, and we are working with the authorities to investigate how this theft occurred.”
VisionDirect did not say how many customers were impacted; however, customers who logged in to or updated their accounts between the data breach dates (Nov. 3 to Nov. 8) were impacted. The information was compromised as it was being entered into the site, so any existing personal data that was previously stored in the company’s database was not impacted by the breach, the company stressed.
VisionDirect UK as well as an array of other websites owned by the company were impacted.
Magecart Group Pinned
VisionDirect did not give any indication about who was behind the breach or how the cybercriminals were able to collect customers’ private data. However, researchers on Twitter discussing the breach assumed the culprit to be a Javascript keylogger on the company’s site, which was eventually linked to the Magecart group.
Security consultant Willem de Groot attributed the attack to the Magecart threat group based on similarities in the code used in a skimming campaign he had traced as far back as September.
Magecart is known for its use of web-based, digital card skimmers, which use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
The bad actor essentially embedded bad code that purported to be Google Analytics into a hosted JavaScript library – in this case various VisionDirect domains, according to researchers like Troy Mursch said on Twitter.
That’s exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analytics[.]com/libs/1.0.16/analytics.js – you can view a copy of the JS via the @urlscanio archive of https://t.co/TV22dxvCcK https://t.co/SFi5Wp4gm3 pic.twitter.com/rY13cMR2TL
— Bad Packets Report (@bad_packets) November 18, 2018
When a visitor goes to that website, the Magecart group’s malware will then collect personal details entered on the site – such as payment-card information.
While the script looked like that of Google Analytics, the script (google-analytic[.]com) is not owned by Google, said de Groot.
“MageCart is the name for a modus operandi for at least eight distinct groups,” de Groot told Threatpost. “The VisionDirect breach can be linked to a large number of other breaches, based on the code style that were used. In this case, the breach is related to several payment exfiltration domain that we saw earlier, such as g-statistic[.]com, google-analytic[.]com, msn-analytics[.]com.”
The Magecart group, in operation since 2015, has been blamed for an array of recent breaches, including one of the most prolific card-stealing operations seen in the wild to date, as well as a massive breach of Ticketmaster earlier in the year.
To avoid future Magecart e-commerce attacks, potential victims should monitor their accounts for identity theft, Craig Young, computer security researcher for Tripwire, said.
“For victims, if the account you have has been compromised, then you may be more impacted than you realize and it is imperative you locate and change the security details linked to the stolen credentials,” he said. “Following this, it’s imperative that all accounts are regularly monitored for identity theft. Fortunately, credit cards have decent fraud detection technologies in place to limit an attacker’s use of your credit card, and anything that gets through can eventually be credited back to your account.”