The French apparel site Sixth June has suffered a digital skimming attack on its website.
Rapid Spike security researcher “Jenkins” took to Twitter, stating that the brand had a live payment skimmer on its website, stealing customer credit card details.
Sixth June has become a popular fashion site in Europe, with over 394,000 followers on Instagram, and in September it was reported that the site had roughly 70,000 monthly visitors.
Jenkins discovered that the hackers had added malicious code to Sixth June sometime before October 23. Thus it can be assumed that anyone who purchased items from Sixth June since that data has had their card data stolen.
The threat actors behind the skimming attack made an effort to make sure that the card thieving will occur undetected by registering a domain that can easily be mistaken for the official one from Magento.
The hackers utilise a fake Google Tag Manager snippet to hide the malicious component. On all the compromised sites variations of this fake snipped was identified., however Jenkins found that the hosts were different.
The Magecart scripts collects all necessary card details including the name of the card owner, the name printed on the card, card number, expiration date and the CVV security number.
Additionally, Jenkins’ analysis said that the script also collects the email address, the username, password, address details and phone numbers. This would then allow the hackers to log into a victim’s account and reroute an order.
The particular attack is reminiscent of an alert raised by Willem de Groot, another security researcher from Sanguine Security who stated that Procter & Gamble’s First Aid Beauty brand had been infected with a payment skimmer since the beginning of May.
Yossi Naar, co-founder of Cybereason commented:
“In an attempt to at least level the playing field, companies need to immediately pay more attention to post-breach detection and mitigation and assume they will be breached and start protecting their data accordingly.
“A few simple steps include encrypting all data that is deemed sensitive, limiting employee access to networks and reducing large collections of data in widely accessible systems.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/