Tween retailer Claire’s Stores Inc. is the latest victim of a Magecart attack in which the payment details of customers were stolen.

Discovered by security researchers at Sansec BV and published today, the attack began in the last week of April and was present through June 13. Magecart is a form of attack that hijacks customer information at the point of sale on websites, stealing all the details a customer inputs into a site to purchase a product or service.

Those behind the attack registered the domain name claires-assets.com on May 21, one day after the store closed all of its physical locations because of the COVID-19 pandemic. The code, which used the fake domain name to capture user data, was inserted onto the company’s server, as well as that of sister brand Icing directly, indicating that the attackers gained write access to the store code.

As is typical in Magecart attacks, the skimmer was attached to the submit button on the checkout form for Claire’s. In this case, the malware was added to the app.min.js file, a legitimate file hosted on the store’s server. Once users clicked on the submit button, the code would intercept all customer information, render it as an image, encode it and then send it to the fake domain name. The use of an image file is believed to have been chosen as image requests are not always monitored by security systems.

“The timeline may indicate that attackers anticipated a surge in online traffic following the lockdown,” the researchers noted. “The period between exfil domain registration and actual malware suggests that it took the attackers a good four weeks to gain access to the store.”

Claire’s confirmed the attack, saying in a statement that it had identified the unauthorized insertion of code it its e-commerce platform designed to obtain payment card data entered by customers during the checkout process. “We removed that code and have taken additional measures to reinforce the security of our platform,” the company said. “We are working diligently to determine the transactions that were involved so that we can notify those individuals.”

Magecart attacks first emerged in 2018 with an attack on British Airways Plc., spreading to Newegg Inc., the Infowars Store, Cathay Pacific Airways Ltd., Ticketmaster Entertainment Inc., Macy’s Inc., Sweaty Betty and Oxo International Ltd. More recent attacks include Blue Bear Software and Focus Camera Inc. in January and blender maker NutriBullet LLC in March.

“There are several prevention techniques for Magecart attacks and of course the attacks constantly evolve,” Brent Johnson, chief information security officer at payment security firm Bluefin Payment Systems LLC, told SiliconANGLE. “Depending on the size and sophistication of a website, prevention can become very difficult. If your site relies on code from a third party that’s been infected, the result is the same.”

Photo: Mike Mozart/Wikimedia Commons