Claire's got 'Magecarted', Unknown Amount of Customer Payment Card Data Exposed

Hey, y’all! How’s everything going?

Today’s blog is going to be about Claire’s - Illinois-based accessories, jewellery, and toy retailer. They have approximately 3,500 physical locations worldwide and conduct e-commerce operations as well. This tween accessories specialist got hit by Magecart during the lockdown due to COVID-19. They claim e-commerce platform hackers stole an unknown amount of customer payment card data, using Magecart tactics.  


Claire’s Salesforce Commerce Cloud environment was compromised for at least 7 weeks. However, the security firm that discovered the breach states that there’s no evidence that the Salesforce platform itself had flaws or was hacked. Apparently, only online sales were affected by the breach; not cards used in physical stores. A Magecart credit-card skimmer was used to attack online customers of the retailer Claire’s for a month and a half.  

Netherlands-based security firm, Sansec (formerly known as Sanguine Security), found and reported the attack straight to Claire’s. Sansec frequently looks out for Magecart-style attacks. These attacks normally entail injecting malicious code onto sites that deals with payment cards. British Airways and Ticketmaster UK are previous victims of Magecart attacks. 

This is what Dutch security researcher Willem de Groot, lead forensic analyst and founder of Sansec, says about the incident: 

"Following common Magecart malpractice, payment skimmers were injected and used to steal customer data and cards. Fashion retailer Claire's got 'Magecarted' right after locking down for COVID-19. They run on Salesforce Commerce Cloud, which is a rare target for a Magecart hack."

This is what Claire’s had to say about the breach: 

"We identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform."

Currently, Claire’s is working on identifying affected transactions so they can notify individuals who are involved. Apparently, they’ve already notified card issuers and law enforcement. 

A little bit about Magecart

Magecart is an umbrella term that refers to various threat groups who use the same modus operandi (MO). The term refers to the types of card-scraping tools used by cybercriminals which enables digital card skimming or scraping capabilities to perform card data theft on e-Commerce platforms. 

Yonathan Klijnsma, a threat researcher at RiskIQ, says: 

“Magecart is simply the term we have for an MO that is as follows: 'Webskimming for payment information”

They normally compromise websites either by exploiting vulnerabilities or exploiting 3rd party e-Commerce platforms. This is done to inject card-skimming scripts on checkout pages. Magecart typically preys on Magento, an eCommerce platform, but they also target other platforms like Opencart, BigCommerce, Prestashop. 

Some of their initial attacks included injection of JavaScript into e-Commerce pages that would send a copy of payment card data to the attackers. However, Magecart has worked on its attack capabilities and malicious infrastructure used to be more effective on victims. This is proven by researchers who found that more than 100, 000 different e-Commerce sites had been infected by Magecart code, and in some cases re-infected, by the end of 2018. 

According to RiskIQ, once Magecart has the stolen payment card data in hand, they channel it to underground credit card marketplaces to sell them. Interested buyers will then try to convert the payment card numbers into cash or buy/ship stolen goods, using money mules. 

**Money mules are people who are used to transport and launder stolen money or some kind of merchandise. 
Criminals may even recruit money mules to use stolen credit card information. Individuals being used as
money mules may be willing participants; however, many money mules are not aware that they are being used
to commit fraud. The individuals being used as money mules are not the only victims; the larger scheme is
designed to extract money from an organization or from other people.

That’s it for the blog today, y’all! I hope my non-technical reader found the additional notes I made for them useful. Feel free to drop comments and share this blog if you found it useful.

Stay safe and stay tuned. 

Until next time, friends!

Credits: Threatpost

Add comment