European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.
Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. IT security experts commented below.
Based on the description Vision Direct provided on the types of exposed data, it seems likely that an attacker was able to inject JavaScript onto the main Vision Direct web site. For example, an attacker may have used subdomain takeover techniques like those pioneered by Detectify’s Frans Rosén if Vision Direct was not diligent about maintaining their DNS records. Alternatively, the attacker may have found a way to alter the site through misconfigured load balancers or found some persistent cross-site scripting vulnerability on the main page. Having their JavaScript running on the site would have allowed them to log keystrokes from initial login through entering payment card details but not have access to the full customer database. As an interesting side note to this, I would also point out that PayPal transactions were unaffected. This makes sense as well since the attacker’s JavaScript would only have access to tabs under Vision Direct. This is a huge advantage of these third-party payment services like PayPal, Amazon, and Google because they all redirect to their own secured domains.
In addition to getting new credit cards, anyone who logged into Vision Direct during this time needs to quickly assess whether this password is unique to Vision Direct. A common attacker technique is to reuse email/username and password combinations on other valuable services. Attackers may use this additional access to create a more comprehensive dossier on a victim which can then either be resold for more money or directly used for identity theft.
“Another large merchant’s website is targeted by hackers for customer payment information, using an attack technique that seems all too familiar in 2018. Capturing customer details as they input them onto the website is also how the British Airways and Ticketmaster hackers operated.
“Vision Direct may seem like an unlikely target. However, the retailer claims to be Europe’s biggest online seller of contact lenses and eye care products, suggesting that it was evidently in the crosshairs for the high volume of customers going through the site. The data they managed to take from Vision Direct is the jackpot for the criminals. Payment card numbers, expiry dates and CVV codes are the holy trinity of details needed to make purchases using customer cards. Obtaining the CVV code is especially bad, as this is usually the key in verifying that you are the real card holder.
“If you entered your details on the Vision Direct website between the affected time window (3rd-8th November) you should cancel your card right away. While it may still be sitting in your wallet, effectively your card has been stolen, and you need to take the same recourse you would if it had been pickpocketed.”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.