Multiple European websites for the Perricone MD anti-aging skin-care brand have been compromised with scripts that steal customer payment card info when making a purchase.

Two MageCart groups were competing for the credit card data on Perricone MD websites in the U.K., Italy, and Germany, but current evidence shows that only one exfiltrated the details successfully.

Two scripts, one winner

The first malicious script was planted on the Perricone websites more than a year ago, in November 2018. It was supposed to deliver the card data to the attacker's domain but a coding error prevented it from loading.

Even if the script worked as intended by the attacker, it still stood no chance to skim the payment data. That's because the second, more complex script, detected the competing web skimmer and altered the code so that the host domain could not be reached to download the malicious script.

Sam Jenkins of RapidSpike found that the buggy code attempted to contact js-react[.]com, a domain that is known to security researchers from many other breaches of websites running a vulnerable version of the Magento e-commerce platform.

This looks like the same bullying scenario documented in November 2018, where Group 9 and 3 clashed on the websites of Umbro Brazil and the B.Liv online cosmetics shop.

The sabotaging script was injected on the Perricone websites in November last year and loaded only on the checkout page to stay undetected. Hiding its presence on the compromised was also done by using a domain similar to that of the victim's - perriconemd.me[.]uk.

Checking the malicious domain, Jenkins found it was on a server in Japan (124.156.210.169) that hosted other domains associated with illegal activity like data breaches and credit card theft:

  • ajaxstatic.com
  • section.ws
  • jspack.pro
  • cdndeskpro.com
  • kegland.top
  • lightgetjs.com
  • rackapijs.com
  • lightgetjs.com
  • autojspack.com
  • fbpixelget.com
  • gstaticapi.com

RapidSpike contacted Perricone MD and disclosed the issues on the websites, also offering their help to fix the problem. However, after the security researchers shared the details, communication stopped.

The malicious code is still present on the three Perricone MD's websites but it does not load for all customers. Jenkins speculates that this behavior might be caused by the code filtering the victims based on country or on the device used to access the websites, but at the moment he has no evidence to support this theory.

Perricone MD customers that made a purchase last year should check for irregular card transactions and report any of them to the bank.

Related Articles:

Fraud network uses 4,700 fake shopping sites to steal credit cards

HIBP notifies 57 million people of Hot Topic data breach

Over a thousand online shops hacked to show fake product listings

Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks