Breach Notification , Cloud Security , Cybercrime
Claire's: Magecart E-Commerce Hackers Stole Card Data
Magecart Gangs Targeting Larger Organizations During Lockdown, Researcher WarnsJewelry and accessories retailer Claire's says e-commerce platform hackers, using Magecart tactics, have stolen an unknown amount of its customers' payment card data.
See Also: Gartner Guide for Digital Forensics and Incident Response
The attackers appear to have infiltrated the company's Salesforce Commerce Cloud environment for at least seven weeks, although the security firm that spotted the breach says there's no indication that the underlying Salesforce platform itself had a flaw or was hacked.
Claire's is an accessories, jewelry and toy retailer - a fixture in many malls and shopping centers - that has nearly 3,500 locations worldwide as well as e-commerce operations, and is based in Hoffman Estates, Illinois.
The retailer says the breach only affected online sales and not any cards used in its physical stores.
The hack attack was spotted and reported directly to Claire's by Netherlands-based security firm Sansec, which regularly searches for signs of Magecart-style attacks. Such attacks typically involve attackers sneaking attack code onto sites that accept payment cards. Previous victims of this style of attack have included British Airways and Ticketmaster UK.
Claire's appears to have gotten hit at least two months ago. "Fashion retailer Claire's got 'Magecarted' right after locking down for COVID," Dutch security researcher Willem de Groot, lead forensic analyst and founder of Sansec - formerly known as Sanguine Security - tells Information Security Media Group. "They run on Salesforce Commerce Cloud, which is a rare target for a Magecart hack."
Claire's confirmed the breach to ISMG. "On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process."
"We removed that code and have taken additional measures to reinforce the security of our platform," it says. "We are working diligently to determine the transactions that were involved so that we can notify those individuals." The company says it has already alerted law enforcement as well as card issuers. "We regret that this occurred and apologize to our customers for any inconvenience caused," it adds.
Magecart Hits Continue
Magecart refers to the types of card-scraping tools, used by a number of criminals, which provide so-called digital card skimming or scraping capabilities that allow them to steal card data from e-commerce platforms.
"Magecart is simply the term we have for an MO that is as follows: 'Webskimming for payment information,'" Yonathan Klijnsma, a threat researcher at RiskIQ, previously told ISMG (see: Magecart Cybercrime Groups Harvest Payment Card Data).
The first such attacks involved sneaking JavaScript into e-commerce pages that would copy card data and send it to attackers. Since then, however, researchers say attack capabilities, and the malicious infrastructure being used, have continued to evolve - and have continued to be effective. By the end of 2018, researchers said that more than 100,000 different e-commerce sites had been infected - and in some cases re-infected - with Magecart code.
After stealing payment card data, Magecart attackers will typically route the data to underground credit card shops for sale, according to security firm RiskIQ. From there, buyers will then typically use money mules to try to convert the payment card numbers into cash or to buy and ship stolen goods.
Hackers Struck After Claire's Closed Stores
The attack against Claire's appears to have been timed to coincide with the firm closing its physical stores on March 20. "The next day, the domain claires-assets.com was registered by an anonymous party," Sansec's threat research team says in a Monday blog post.
"For the next four weeks, Sansec did not observe suspicious activity. But between April 25 and 30, malicious code was added to the online stores of Claire’s and its sister brand Icing," it says. "The injected code would intercept any customer information that was entered during checkout, and send it to the claires-assets.com server."
Attackers tweaked a legitimate file - app.min.js - to make it malicious. "This file is hosted on the store servers, so there is no 'supply chain attack' involved, and attackers have actually gained write access to the store code," Sansec says.
To exfiltrate the data, attackers' code would create a temporary image, append the stolen data to it, transfer the file and then delete the image, Sansec says. "We suspect that attackers have deliberately chosen an image file for exfiltration, because image requests are not always monitored by security systems."
Lockdown Tactic: More Targeted Attacks
The Claire's hit shows that Magecart attacks haven't gone away during the COVID-19 crisis, which resulted in some countries ordering residents to stay at home starting in February, and others following suit in March (see: Magecart Group Hits Small Businesses With Updated Skimmer).
But attackers' tactics appear to have been changing. "We have registered a shift in skimming from smaller to larger stores since Corona," de Groot says. "We believe that threat actors increasingly target specific stores, instead of just launching mass scanners/exploits."
Salesforce Hosts E-Commerce Portal
Although Claire's e-commerce site is hosted by San Francisco-based Salesforce, Sansec says it doesn't appear that the Salesforce platform itself got hacked, but rather only Claire's cloud instance. "The affected stores are hosted on the Salesforce Commerce Cloud, previously known as Demandware," Sansec says. "This is a hosted e-commerce platform that serves some of the biggest stores globally. While the actual root cause is yet unknown, it is unlikely that the Salesforce platform got breached or that Salesforce is responsible for this incident."
Hits against organizations that have their e-commerce platform hosted by Salesforce are rare. "Previously compromised stores that use the Salesforce platform are U.K. outlet Sweaty Betty," which got hit in November 2019, as well as Hanna Andersson, which got hit in September 2019, Sansec says.
Salesforce didn't immediately respond to a request for comment about these attacks, how they occurred and what best practices Salesforce Commerce Cloud customers should be following to protect themselves.
"The Salesforce platform did not get compromised, or many other stores would have been affected as well," de Groot says.
Potential explanations for the breaches include attackers managing to either brute-force or steal each victim organization's Salesforce Commerce Cloud credentials. Other possible attack vectors include "leaked admin credentials, spear-phishing of staff members and/or a compromised internal network," Sansec reports.
Is Salesforce Culpable?
Security experts say Salesforce regularly scans its environments for signs of attack. So, should it have spotted and mitigated the attack against Claire's cloud instance?
Such a question is the focus of a February lawsuit, seeking class action status, filed against both Portland, Oregon-based clothing retailer Hanna Andersson, and Salesforce, which hosts the company's e-commerce platform, as news site Classaction.org has reported.
The breach-related lawsuit was filed in San Francisco federal court by Addi Jadin of Bozeman, Montana. It may have begun on Sept. 16, 2019, say digital forensic investigators hired by Hanna, according to a data breach notification issued by the company in January. It says the attack was mitigated on Nov. 11, 2019, when the malicious code was removed.
Stolen information may have included each customer's name, billing and shipping address, payment card number, CVV code and expiration date, according to the lawsuit.
The company said in its breach notifications to state attorneys general that it had first learned from law enforcement about the breach on Dec. 5, 2019, and that stolen card data was being sold on cybercrime forums.
The lawsuit alleges that Hanna and Salesforce acted negligently and in violation of the California Unfair Competition Law - in part because of a failure to adequately protect customers' personally identifiable information. "The fact that the PII is available for purchase on the dark web indicates that the PII was not protected with sufficient and adequate encryption," the lawsuit alleges.
The lawsuit also notes that the malware planted in Hanna Andersson's hosted site was expunged last November, but the company says it only learned of the malware last December. Hence, the lawsuit questions whether Salesforce had found and expunged the malware, potentially without alerting Hanna directly, or Hanna's customers.
"Salesforce should have also notified affected individuals directly about the data breach," the lawsuit states.