A card-skimming Magecart malware infection lingered on a British outdoor clothing retailer's website without detection for nearly eight months despite regular security scans.
London-based Páramo told customers last week that it had discovered a "small piece of computer code covertly installed within our website".
The warning continued: "This code copied card details entered, destined for PayPal and additionally sent them on to the attacker's server. The data transferred was name, address, card number and CVV code."
The Register confirmed with Páramo that 3,743 people's full card details – including all data points necessary to make online purchases elsewhere – had been stolen between July 2019 and March this year. In its message to customers the retailer said:
This is despite the fact that Páramo employ Security Metrics, an approved security scanning vendor, to conduct quarterly vulnerability scans on our websites for PCI DSS purposes. The coding remained undiscovered due to its sophisticated nature.
Security Metrics did not respond to The Register's questions.
Páramo's IT director, Jason Martin, told The Register the firm first learnt something was wrong when PayPal, its chosen payments processor, alerted them that 18 customers reported being victims of fraud after making purchases from Páramo. Upon examining the site for any clues, Martin's team discovered all was not as it should have been.
El Reg passed the malicious JS file to a security researcher who asked not to be named. They told us the file was part of the infamous Magecart card skimmer malware and had been observed in the wild since summer 2019, fitting the Páramo hack.
We also asked Cisco Talos to take a look at the malware sample for confirmation. A company spokesman agreed that it looked like Magecart and told us: "Criminals often seek unpatched web systems, or use compromised credentials, in order to take control of a system and subtly introduce malicious functionality that will execute in the browser. In this way, malware such as Magecart is able to capture personal data as web visitors enter it in their browser, exfiltrating it to the criminals without the stolen information necessarily touching the originally compromised system."
Supply chain attacks, where malicious persons target those third-party sources, have long been a thorn in the side of the ecommerce world.
While the Páramo hack is relatively small fry for a jaded cybersecurity industry that barely notices such compromises unless millions of people's data is stolen, many reading this will probably wipe their foreheads and mutter "there but for the grace of the gods".
A couple of years ago Magecart was the attack method that stole 380,000 peoples' card details from British Airways, while the malware continues to evolve as researchers desperately try to halt its spread. ®