I spy with my little eye a data breach.
Online retailer Vision Direct, which bills itself as being Europe's largest online contact lenses supplier, has been warning customers that it suffered a data breach from Nov. 3 until Nov. 8.
"The personal information compromised includes full name, address, telephone number, email address, password and payment card information," the company says in its data breach notification. "This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions."
Signs of Magecart at Work
Dutch security research Willem de Groot discovered the underlying attack campaign in September. He says it appears to be part of the e-commerce payment form hijacking attacks that are broadly known as Magecart, which have been ascribed to multiple cybercrime groups.
Vision Direct, in its notification, advises all potentially affected customers to change their Vision Direct password as well as to watch their credit card and bank statements for signs of fraud.
Vision Direct didn't immediately respond to a request for comment.
But a copy of the data breach notification that it has been emailing to potentially affected customers, shared by Australian data breach expert Troy Hunt, says that Vision Direct has expunged the attack code from its site and is "working with the authorities to investigate how this theft occurred."
Per the Payment Card Industry Data Security Standard specifications, storing any CVV data - in encrypted form or otherwise - is prohibited. Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure, said the likely modus operandi was attackers using software designed to surreptitiously copy and steal this data.
Troy Mursch of Bad Packets Report says that assessment appears to be true. Using an archived copy of the Vision Direct site, Mursch found a fake Google Analytics script - no doubt planted by attackers - that included the ability to harvest payment card data.
That's exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analytics[.]com/libs/1.0.16/analytics.js - you can view a copy of the JS via the @urlscanio archive of https://t.co/TV22dxvCcK https://t.co/SFi5Wp4gm3 pic.twitter.com/rY13cMR2TL— Bad Packets Report (@bad_packets) November 18, 2018
Dutch information security consultant Willem de Groot tells Information Security Media Group that he discovered this attack campaign in early September, well before Vision Direct was hacked. He says the campaign appears to have been running since at least May.
This attack employs a domain called g-analytics.com. "The domain 'g-analytics.com' is not owned by Google, as opposed to its legitimate 'google-analytics.com' counterpart," de Groot says in his September blog post. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor. The malware behaves pretty much like the real Google Analytics, and it wouldn't raise any dev [development] eyebrows while monitoring Chrome's waterfall chart."
The fake Google analytics website was registered on May 31, de Groot tells ISMG, meaning it's likely been used as part of attacks against other sites too. In the bigger picture, meanwhile, "similar domains are in use as exfiltration servers, such as g-statistic.com, google-anaiytic.com [and] msn-analytics.com," he says.
He's ascribed these attacks to Magecart, an umbrella term that he says refers to at least eight cybercrime groups that have collectively waged a prolific series of hack attacks against e-commerce sites that have resulted in thousands of compromised sites (see: Magecart Cybercrime Groups Harvest Payment Card Data).
"For the record, Magecart is an umbrella term for payment form jacking, although some media use it - incorrectly - to identify a specific source," he says. "Based on modus operandi, code patterns and such, there are at least eight distinct groups involved with form-jacking campaigns. And because the exploit toolkits are for sale on the dark web, yet more groups are expected to enter the space."
Attackers Potentially Exploited Unpatched Magento
At the time that Vision Direct was breached, de Groot says the company appears to have failed to install two critical patches for its Magento e-commerce software.
He adds that the Vision Direct breach didn't just affect its UK e-commerce site, but also its online stores that use country code top-level domains for Belgium, France, Ireland, Italy, the Netherlands and Spain (see: InfoWars: Magecart Infection Points to 'Industrial Sabotage').
It wasn't just UK. Also infected between Nov 3rd and Nov8th:https://t.co/fQy7WsKmfqhttps://t.co/8JUn9frF9vhttps://t.co/WBCPQOIv46https://t.co/DCyaQzuTkMhttps://t.co/pwfBvDWZDzhttps://t.co/q9of3VMPZ5https://t.co/LclCV3VvHYhttps://t.co/Ouge4ebR7vhttps://t.co/85sRXtC50m— Willem de Groot (@gwillem) November 18, 2018
Vision Direct's Security Promises
Despite being hit by hackers, Vision Direct could see itself in trouble with privacy regulators for having guaranteed that its site is safe (see: GDPR: Data Breach Class Action Lawsuits Come to Europe).
In a security FAQ on its website, the company states: "When you pay online, no one at Vision Direct can see your full card details - just the last four digits of the long number for verification purposes. The https:// at the beginning of the URL verifies that it is a safe transaction."
"It's probably worthwhile revisiting statements like this after someone has just siphoned off a heap of your customers' credit cards," Hunt says via Twitter.