On March 20th, the Claire's accessories retail chain beloved by young girls around the world made the sensible decision to close all of its physical stores in response to the Coronavirus Covid-19 pandemic.
Anyone wanting to purchase costume jewellery, make-up, or hair accessories would have to not take a trip to the shopping mall, but instead visit Claire's online store instead.
A nuisance, for sure. But also an opportunity if you were a malicious hacker.
As security researcher Willem de Groot of Sansec reports, within 24 hours of Claire's bricks-and-mortar stores closing for business, someone had registered the domain claires-assets.com.
This domain was then used, the following month, to exfiltrate information entered on the checkout pages of Claire's online store and its sister brand Icing.
Attacks like this are, unfortunately, not uncommon. Most notoriously, malicious code known as Magecart has been used to steal sensitive information from unsuspecting internet users.
What’s so dangerous about a Magecart attack is that it doesn’t matter if a company does not store all of your credit card payment details (such as your CVV security code). Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption to extract sensitive information.
Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.
Companies whose customers have been impacted by past Magecart attacks include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.
Often these attacks are orchestrated through "supply-chain" attacks, where the hackers poison a third-party script used by a website and therefore don't need to breach the website's own defences to steal from customers as they shop.
However, in the case of Claire's it appears that the hackers did actually gain access to the online store's infrastructure.
This raises some interesting questions.
Firstly, how did the hackers gain access to the website in order to plant their malicious code? Did they exploit a vulnerability on the website, was a member of staff phished, or was this part of a wider exploitation of Claire's infrastructure?
The next obvious follow-up question is what has Claire's done to ensure that a similar breach doesn't happen again?
In a statement the firm says that upon being notified by Sansec of the security breach, it removed the offending code.
"On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals."
It's good to see action has been taken, and that customers will be notified, but what should not be ignored is that some online stores have been haunted by repeat infections. Research produced by Willem de Groot, for instance, has warned in the past that 20% of Magecart-compromised merchants find their internet stores reinfected within days.
And finally, what is to be made of the four weeks or so between the registration of the domain claires-assets.com and the launch of the hackers' web-skimming attack against customers or Claire's.
All the evidence points to a determined effort by the hackers to find a weakness at Claire's that could be exploited to plant the code. It seems to me that criminals knew that with the closure of its shopping mall stores, there would be an increase in online purchases… and were hellbent on taking advantage of the retail lockdown to fill their pockets.
Some retailers in some countries are beginning to take tentative steps out of lockdown, opening their doors again to shoppers. They would be wise not to continue to watch their websites carefully for web-skimming attacks like the one which hit Claire's.