In a breach notification letter, Canadian retailer Fitness Depot, the largest specialty exercise equipment retailer in Canada with 40 stores nationwide, notified its customers that their personal and financial information was stolen following a breach of its e-commerce platform, which appears to be a Magecart attack.
The attackers in this case redirected users to a fake checkout page that was completely controlled by the malicious party. This is a common technique seen in Magecart attacks where the attackers are able to completely bypass all security controls present on the legitimate website, such as CSP or iframes.
Businesses need to ensure they adequately protect their web infrastructure and don’t rely on their ISP for this. Consumers shopping online need to be on the alert for errors during the checkout process, which could indicate a compromise.