European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.
Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. IT security experts commented below.
Craig Young, Security Researcher at Tripwire:
Based on the description Vision Direct provided on the types of exposed data, it seems likely that an attacker was able to inject JavaScript onto the main Vision Direct web site. For example, an attacker may have used subdomain takeover techniques like those pioneered by Detectify’s Frans Rosén if Vision Direct was not diligent about maintaining their DNS records. Alternatively, the attacker may have found a way to alter the site through misconfigured load balancers or found some persistent cross-site scripting vulnerability on the main page. Having their JavaScript running on the site would have allowed them to log keystrokes from initial login through entering payment card details but not have access to the full customer database. As an interesting side note to this, I would also point out that PayPal transactions were unaffected. This makes sense as well since the attacker’s JavaScript would only have access to tabs under Vision Direct. This is a huge advantage of these third-party payment services like PayPal, Amazon, and Google because they all redirect to their own secured domains.
In addition to getting new credit cards, anyone who logged into Vision Direct during this time needs to quickly assess whether this password is unique to Vision Direct. A common attacker technique is to reuse email/username and password combinations on other valuable services. Attackers may use this additional access to create a more comprehensive dossier on a victim which can then either be resold for more money or directly used for identity theft.
Brooks Wallace, Head of EMEA at Trusted Knight:
“Another large merchant’s website is targeted by hackers for customer payment information, using an attack technique that seems all too familiar in 2018. Capturing customer details as they input them onto the website is also how the British Airways and Ticketmaster hackers operated.
“Vision Direct may seem like an unlikely target. However, the retailer claims to be Europe’s biggest online seller of contact lenses and eye care products, suggesting that it was evidently in the crosshairs for the high volume of customers going through the site. The data they managed to take from Vision Direct is the jackpot for the criminals. Payment card numbers, expiry dates and CVV codes are the holy trinity of details needed to make purchases using customer cards. Obtaining the CVV code is especially bad, as this is usually the key in verifying that you are the real card holder.
“If you entered your details on the Vision Direct website between the affected time window (3rd-8th November) you should cancel your card right away. While it may still be sitting in your wallet, effectively your card has been stolen, and you need to take the same recourse you would if it had been pickpocketed.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.