Claire’s is a popular jewelry chain for young girls and teens with almost 3,500 locations worldwide—and the latest victim of a cyber crime enabled by COVID-19. As shelter in place orders and lockdown procedures began in order to prevent the spread of Coronavirus, large brick and mortar stores temporarily shuttered their doors and replaced them with online-only eCommerce models. Cyber criminals preemptively planned to benefit from the uptick of online purchasing through retail giant Claire’s eCommerce store.
On March 21, the day after Claire’s closed its physical locations, the domain name “claires-assets.com” was registered anonymously. After that, it took four weeks for malicious actors to break into Claire’s online infrastructure. Between April 25 and 30, code was added to Claire’s online store, as well as its sister store, Icing. The code changed a legitimate file on the eCommerce platform, enabling the exfiltration of data images.
As customers entered their payment information into the Salesforce supported shopping cart, the malicious code essentially took a picture of the information, sent it to the claires-assets.com server, then deleted the image. Real-time threat detection methods and strategies often exclude image file exfiltration, leaving them vulnerable to these types of attacks, known as Magecart attacks. Magecart attackers then take the scraped data and sell it on the Dark Web.
It is important to note that Salesforce itself was not compromised and did not lead to the breach, but rather the infrastructure built on top of the Salesforce Commerce Cloud platform.
While the entrance of the breach is still being investigated, it is likely that attackers brute forced their way in, stole Claire’s Salesforce credentials through spear phishing, or got in through internal network weaknesses. Magecart’s activity dates back to 2016 and includes big-name victims such as British Airways, Ticketmaster, Newegg, and Forbes.
Cyber security firm Sansec monitors eCommerce stores for security incidents and notified Claire’s of the attack on June 13. The organization has since removed the altered code. Claire’s statement on the incident was released the following Monday and reads:
"On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals. Cards used in our retail stores were not affected by this issue. We have also notified the payment card networks and law enforcement. It is always advisable for cardholders to monitor their account statements for unauthorized charges. The payment card network rules generally provide that cardholders are not responsible for unauthorized charges that are timely reported. We regret that this occurred and apologize to our customers for any inconvenience caused.”
See Related: A Practical Approach To Zero Trust
Magecart and other eTailer attacks are on the rise, as the pandemic has shifted commerce online. In an interview with TechRepublic’s Scott Matteson, Peter Blum, vice president of technology at app delivery provider Instart, offers additional advice. “The best defense against Magecart attacks is preventing access. Online companies need a solution that intercepts all of the API calls your website makes to the browser and blocks access to sensitive data you have not previously authorized. This prevents any malicious script, or any non-critical third-party script, from gaining access to information your customers enter on your website. This same system should also have a monitoring component to alert companies when a third-party attempts to access sensitive information.”