Vision Direct, a UK-based contact lens retailer, has exposed at least 16,300+ customers’ personal data, including payment card numbers, expiration dates and CVV codes in a breach affecting its UK site and local versions in Ireland, the Netherlands, France, Spain, Italy and Belgium. In a statement, Vision Direct said that customers who entered their details into the sites between Nov. 3-8 could have been impacted.
A fake Google Analytics script placed within the websites’ code was the apparent cause.
Bryan Becker, Application Security Researcher, WhiteHat Security:
“Although we cannot confirm attribution, this attack has all the hallmarks of a ‘Magecart’ attack. Some of the key indicators include the fact that the attacker inserted fake code onto the page (in the form of a fake Google analytics script); the fake code scraped customer details at checkout and sent them offsite to a hacker-controlled domain; and the attacker made use of a fake, but legitimate-sounding domain to send data to, in order to reduce suspicion (https://g-analytics.com, posing as Google analytics). If you are curious, you can still see the ‘fake’ analytics script online https://g-analytics.com/libs/1.0.16/analytics.js.
The following tips can help protect your company from such an attack. First, the oldest advice still stands most important. Train your employees regularly on security awareness and put in strong safeguards within the company. If your employees can recognize phishing attempts, then the hacker can’t even get past step one. It’s also important to scan internal codebases and external-facing code. If you think of running dynamic application security testing (DAST) scans on your external-facing website as protecting your customers, then think of scanning internal tools as protecting your employees.
In the meantime, if you are worried about your site, https://www.magereport.com can quickly scan it and let you know if it appears vulnerable.”