author photo
By Clare O’Gara
Tue | Jun 16, 2020 | 6:15 AM PDT

As someone who was once a 12-year-old girl begging to get her ears pierced at Claire's, this story is close to my heart.

But it's also a story about cyber threats to come, particularly concerning the eCommerce industry.

Magecart attack hits Claire's online store

COVID-19 forced virtually every brick-and-mortar retailer to close temporarily; Claire's was one of those stores.

Closing a physical store already places an economic strain on retailers. But Claire's had another challenge coming its way: malware.

According to Netherlands based security company Sansec, one day after Claire's closed its 3,000 worldwide stores, hackers registered a malicious site to facilitate a Magecart cyber attack.

"The next day, the domain was registered by an anonymous party... for the next 4 weeks, Sansec did not observe suspicious activity. But in the last week of April, malicious code was added to the online stores of Claire's and its sister brand Icing. The injected code would intercept any customer information that was entered during checkout, and send it to the server. The malware was present until June 13th."

Magecart, which can be used in the act of online skimming, allows hackers to steal credit card details.

How did the Claire's Magecart attack operate?

For Claire's, Magecart meant that a customer's transaction details could be skimmed and stolen at checkout. And this was likely viewed as an opportunity by hackers, anticipating a surge in online traffic because malls and retail stores were closed by COVID-19.

Researchers say the code was placed directly on store servers and the skimmer was attached to the submit button of the checkout form. Click that button and the malware grabs an image of the transaction and sends it to the hacker's server.

Why would hackers request an image instead of a data file?

"We suspect that attackers have deliberately chosen an image file for exfiltration, because image requests are not always monitored by security systems."

What was the root cause of the Magecart malware attack?

The root cause remains under investigation, but researchers have some possibilities in mind:

"The affected stores are hosted on the Salesforce Commerce Cloud, previously known as Demandware. This is a hosted eCommerce platform that serves some of the biggest stores globally. While the actual root cause is yet unknown, it is unlikely that the Salesforce platform got breached or that Salesforce is responsible for this incident.

Possible causes are leaked admin credentials, spearphishing of staff members and/or a compromised internal network."

How did Claire's respond to the eCommerce cyberattack?

"Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals."