Vision Direct, a UK-based contact lens retailer, has exposed at least 16,300+ customers’ personal data, including payment card numbers, expiration dates and CVV codes in a breach affecting its UK site and local versions in Ireland, the Netherlands, France, Spain, Italy and Belgium. In a statement, Vision Direct said that customers who entered their details into the sites between Nov. 3-8 could have been impacted.
A fake Google Analytics script placed within the websites’ code was the apparent cause.
Bryan Becker, Application Security Researcher, WhiteHat Security:
“Although we cannot confirm attribution, this attack has all the hallmarks of a ‘Magecart’ attack. Some of the key indicators include the fact that the attacker inserted fake code onto the page (in the form of a fake Google analytics script); the fake code scraped customer details at checkout and sent them offsite to a hacker-controlled domain; and the attacker made use of a fake, but legitimate-sounding domain to send data to, in order to reduce suspicion (https://g-analytics.com, posing as Google analytics). If you are curious, you can still see the ‘fake’ analytics script online https://g-analytics.com/libs/1.0.16/analytics.js.
The following tips can help protect your company from such an attack. First, the oldest advice still stands most important. Train your employees regularly on security awareness and put in strong safeguards within the company. If your employees can recognize phishing attempts, then the hacker can’t even get past step one. It’s also important to scan internal codebases and external-facing code. If you think of running dynamic application security testing (DAST) scans on your external-facing website as protecting your customers, then think of scanning internal tools as protecting your employees.
Also to note, part of Magecart’s attack was offloading the stolen data to a ‘fake’ website. The only way to catch this after the fact is to examine suspicious outgoing connections when browsing the website – which is as frustrating and error-prone as it sounds. Some IPS/IDS/secure web gateways are set to do this, some are not. Of course, the fool-proof (and probably simplest) way to protect against this is to configure strong Content Security Policy (CSP) Headers. This header controls exactly which domains are allowed to communicate with your website and what they are allowed to do. With proper configuration, this header can stop all XSS in its tracks, even if the code itself is vulnerable, by directing the browser to reject all JavaScript that isn’t delivered from the pre-configured servers. Even if your site was infected with the Magecart code, the browser would refuse to send the stolen data to the imposter website, thus completely mitigating the attack. I don’t want to promise that CSP is a silver bullet, but it’s at least a bronze bullet.
In the meantime, if you are worried about your site, https://www.magereport.com can quickly scan it and let you know if it appears vulnerable.”
