[Security Weekly] Fashion retailer Claire’s online shopping platform attacked by Magecart skimmer

3rd Week of June 2020


1. Fashion retailer Claire’s online shopping website attacked by Magecart skimmer

Claire’s, a global fashion retailer selling accessories and jewelry targeting children and teenage girls, suffered a Magecart1 skimmer attack aimed at its online shopping platform.

According to researchers at cybersecurity firm Sansec, who discovered the incident, skimming activities began on March 20, right after Claire’s closed down all its 3,000 retail locations worldwide as a response to COVID-19. The threat actors were likely motivated by the expected increase of online sales due to the closure of its offline stores.

The injection of malware to the web application started on April 20, meaning it took one month for the hackers to gain access to the servers. It took another two months before Sansec’s discovery on June 13, after which the intrusion was finally cleared.

The attackers possibly leveraged a vulnerability in the web applications to inject malicious codes to the “submit” button at the checkout page. After a user clicks the button, the skimmer would make an image copy of all the information entered during checkout, encode it with Base64, and send it to the attacker. Image exfiltration is relatively rare, but it is more difficult to detect as not all security systems monitor image files.

Compromised information includes the users’ full names, billing addresses, and credit card credentials. Claire’s is currently in the process of informing all impacted customers.

Sources: ThreatpostSC Media

1 Magecart is a general term describing attacks that plant skimmers on web applications to steal financial information.


2. Australian beverage giant Lion discloses ransomware attack, operations impacted

A subsidiary of Japanese beverage conglomerate Kirin, Australian-based Lion is a producer of beer, wine, juice, and dairy beverages. With around 7,000 employees, it claims to generate a total economic contribution of $4.9 billion to the Australian and New Zealand economies.

On June 9, Lion publicly confirmed that its IT systems had been hit by a ransomware attack, making many of its computers and servers inaccessible. The company immediately shut down other key systems to prevent any further spread of the malware.

Lion was able to brew beer and produce beverages during the COVID-19 pandemic without any disruptions. However, this ransomware attack has severely impacted its operations. Due to the inaccessibility of its IT systems, the company expects temporary shortages on beers. In addition, customer service for its juice and dairy products is also paralyzed, meaning that purchase orders would have to be placed manually.

Lion stated on June 15 that it had made recovery progress, but full recovery was expected to take longer than expected. As of yet, there has been no evidence if any personal or financial information contained in the databases was compromised.

Source: ZDNet


3. South Africa’s Postbank to reissue 12 million cards after master encryption key stolen

Postbank, the banking division of the South African Post Office, disclosed a data breach that compromised more than 12 million payment card information, leading to more than $3.2 million worth of fraudulent purchases.

Investigations revealed that the bank’s master encryption key was physically printed by a suspected employee at one of its old data centers in December 2018.

The master encryption key is a 36-digit code that allows access to lower-level keys, which would then enable the owner to gain access to all of the bank’s encrypted data, including debit and credit card information.

Throughout 2019, the thief used the master key to gain access to the customers’ bank accounts and payment cards, making over 25,000 fraudulent purchases with a total worth of $3.2 million. Postbank now expects to spend $58 million to replace and reissue over 12 million payment cards generated under the master key.

Data breaches caused by a leak of encryption keys are very rare. Master encryption keys are treated as the most sensitive information and are kept in a separate network with some of the strongest security measures. Nonetheless, the master key should never be managed by a single person. Instead, it should be divided between multiple VIPs from different interest groups so that no single person would be able to access the data on their own.

Penta Security’s D’Amo is a comprehensive encryption framework that provides robust security and easy maintenance with quick encryption and decryption speed. Additionally, D’Amo PKI safely protects circulating data with accurate user authentication. Learn more at: D’Amo.

Source: Sunday Times


4. Fake LinkedIn job offers spread malware, target employees of aerospace firms

Security researchers at ESET have discovered a phishing campaign on LinkedIn that targeted high-ranking employees and executives of aerospace and defense companies.

Named “Operation In(ter)ception”, the phishing campaign span over a period of four months between September and December 2019. The threat actors impersonated human resources employees from Collins Aerospace and General Dynamics, both legitimate US aerospace and defense contractors.

Posing as recruiters, the attackers contacted high-ranking employees from major European and Middle Eastern aerospace firms with very attractive yet believable job offers. They would then send each victim a Microsoft OneDrive link containing a PDF document listing the details of the positions along with salary information.

Once downloaded, a hidden executable file would create scheduled tasks on the victim’s computer so that the payload would be automatically installed at a later time. The payload allowed attackers to connect their server to the infected computer and download malware and execute commands in it.

For victims that expressed interest in the job offer, the attackers followed up with sensitive questions asking for their corporate system’s configurations.

The goal and motive of the campaign are not very clear. Nonetheless, experts speculate that the attackers are likely state-backed actors attempting to obtain sensitive defense information.

Source: Infosecurity


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt