Customer payment data has been stolen from JM Bullion, a Texas-based online buyer and seller of precious metals, in a suspected Magecart attack.

According to a notice sent to customers recently, suspicious activity on its website was first detected on July 6 and involved malicious code that was later found to be present on the JM Bullion website from Feb. 18 to July 17.

The company officially describes the code as having the ability to “capture customer information entered into the website in limited scenarios while making a purchase.” It also noted that the data “potentially impacted” by the incident included names, addresses and payment card information including account number, card expiration date and security code.

The description fits Magecart to a tee. A typical Magecart attack involves malicious skimming code, usually via JavaScript attached to the submit button on the checkout form with the payment data captured with a purchase. Once users click on the submit button, the code intercepts all customer information, renders it as an image, encodes it and then sends it to the fake domain name.

Magecart, which first emerged in 2018, has targeted dozens of companies. Prominent victims include Newegg Inc., the Infowars Store, Cathay Pacific Airways Ltd., Ticketmaster Entertainment Inc., Macy’s Inc., Sweaty Betty and Oxo International Ltd.

Exactly how many customers may have had their data stolen in this attack is unknown. JM Bullion claims to have processed more than $3 billion in transactions over the last eight years.

Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE it’s likely the company could face harsh monetary penalties. “A COVID-19 defense to mitigate the amount of fine will likely be inapplicable here like in the recent British Airways or Marriott cases,” he said. “Moreover, in view of the circumstances, individual and class action lawsuits from the victims have excellent chances of success to obtain considerable monetary compensation, likely in a form of a settlement.”

Saryu Nayyar, chief executive officer of unified security and risk analytics company Gurucul Solutions Pvt Ltd. A.G., said the attack against JM Bullion is concerning for two main reasons.

“The first is the five-month dwell time the attackers had between initially compromising JM Bullion’s website and the eventual remediation,” she said. “The second is the additional three months between their remediating the breach and notifying the users who may have been affected. Neither of those statistics inspires confidence, which is even more of an issue in the Financial Services and Commodities sectors.”

In any case, Nayyar added, it appears there are some gaps in JM Bullion’s security stack. “A complete stack, including behavioral analytics, should have been able to identify the breach quickly, preventing the potential damage to their customer base,” she said.

Image: JM Bullion