US children's apparel maker and online retailer Hanna Andersson disclosed that its online purchasing platform was hacked and malicious code was deployed to steal customers' payment info for almost two months.
In this type of attack dubbed Magecart, threat actors are hacking into vulnerable e-commerce platforms used by online stores and inject malicious JavaScript-based scripts into checkout pages.
The scripts known as web skimmers or e-skimmers are then used to collect the customers' payment info and send it to attacker-controlled remote sites.
The groups behind Magecart attacks have been active since at least 2010 according to a RiskIQ report, and they are known to target Magento-powered online shops, as well as OpenCart, PrismWeb, and OSCommerce-powered stores.
Attack discovered after credit cards landed on the dark web
Email notifications sent to customers say that Hanna Andersson was informed by law enforcement on December 5, 2019, that "credit cards used on its website were available for purchase on a dark web site."
The following investigation confirmed that Hanna Andersson's "third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process.
The earliest potential date of compromise identified by forensic investigators is September 16, 2019, and the malware was removed on November 11, 2019."
While Hanna Andersson's investigation into the security incident revealed that no all of the customers who paid using their payment cards through the Salesforce Commerce Cloud (previously known as Demandware), it was not able to pinpoint the ones who were.
Because of this, the retailer will notify all customers that made purchases on the site during that period as detailed in a notice of security incident sent to the authorities.
"The incident potentially involved information submitted during the final purchase process on our website, www.hannaandersson.com, including name, shipping address, billing address, payment card number, CVV code, and expiration date," says the notice.
The company secured their site's online purchasing platform after the incident and hardened it against future compromise, and is currently helping payment card brands and law enforcement with their investigations of the attack.
In addition, as an added benefit to help protect your identity, we are offering MyIDCare identity theft protection services through ID Experts. MyIDCare services include: 12 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed id theft recovery services. - Hanna Andersson
Salesforce Commerce Cloud hit again
"Although I don't have the details on this specific case, it's likely attackers used a vulnerability to inject malicious code within the CMS, as they did before," Malwarebytes security researcher Jérôme Segura told BleepingComputer.
The previous case Segura is referring to is that of UK retailed Sweaty Betty which also got hacked and had its customers' payment information stolen for over a week, between November 19th, 2019 and November 27th, 2019.
"Contrary to most Magecart hacks that happen on Magento, Sweaty Betty runs Demandware, which is popular among the biggest stores," Magecart security expert Willem de Groot of Sanguine Security Labs told BleepingComputer at the time.
Demandware is now known as Salesforce Commerce Cloud after the enterprise cloud commerce platform was acquired by Salesforce back in 2016.
The Salesforce Commerce Cloud platform is currently used by over 2,800 currently live websites according to BuiltWith stats.
Salesforce's cloud platform-as-a-service (Paas) Heroku is also being abused by Magecart attackers to host their skimmers as Malwarebytes' Threat Intelligence team discovered in December 2019.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now