Emma Sleep Company admits checkout cyber attack

Customers wake to a nightmare as payment data pilfered from UK website


Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

"This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

The company confirmed to us it was a Magecart attack via the ubiquitous Adobe Magento e-commerce platform.

"This Magecart attack, which affected customers in 12 countries, involved a malicious piece of code that was added to checkout pages which would skim card data from within a user's browser. The attack was highly targeted, and the attacker created copy-cat URLs tailored to our environment."

The spokesperson said they could confirm that the "platform was kept up to date with all relevant security fixes."

In a classic Magecart attack, such as the one that exposed 40 million British Airways customers' data in 2018 (and for which it was fined £20m/$26m), dodgy folk use skimming techniques to pilfer punters' credit or debit card data.

Operatives get access to a site, either directly or via third-party services, and inject malicious JavaScript which then nabs the information as it is input.

Emma Sleep Company confirmed that its security measures had been "circumvented in a technically advanced way by how the Javascript code was implemented and loaded dynamically from the attacker's server and through highly sophisticated evasion techniques to avoid detection, as well as elaborate countermeasures to (unsuccessfully) prevent analysis, which is why the technology we had in place to keep track of scripts added to the page did not detect it."

It added: "Additional capabilities to detect such attacks have now been deployed. We are also in the process of implementing new CORS and CSP headers."

In February this year, Adobe issued two out-of-bounds patches in a single week when critical security bugs affecting its Magento/Adobe Commerce product emerged, with the vendor warning the vulns were being actively exploited.

Emma Sleep Company's CEO, Dennis Schmoltzi, confirmed in a statement to The Register that the cyber-attack "on the checkout process on our website" had occurred "between 27 January 2022 and 22 March 2022."

Schmoltzi added: "Personal customer information, including credit card data, was stolen. While we never process or store credit card data ourselves, the type of attack was redirecting information as it was typed into form fields in the browser of the user. As of today, we are not aware of any successful abuse of this data."

"As soon as we became aware of this attack, we took immediate action to remove the threat and ensure the security of data, launched a full investigation, and reported this to the relevant authorities, including the police. We also directly contacted all those customers who may have been affected."

CTO Andreas Westendörpf was interviewed talking about scaling up the company's Magento e-commerce solution in January. He told retail digitalization trade mag Location Insider (translated from German): "Magento has been continuously adapted and expanded over the years. In addition, more and more solutions were added that go in the direction of ERP and supply chain."

Currently there is "no evidence" personal or payment data has been abused in the wild, the company said to customers in the email. Nevertheless, it advised them to contact their banks or credit card provider and "follow their advice," and check for unusual or suspicious activity from the date of visiting the checkout page on Emma's website.

One customer that shared the email on the condition of anonymity said: "Apparently getting a good night's sleep means you now might not get a good night's sleep."

This isn't the finest moment for a rapidly expanding business that turned over $731m in 2021, up 59 per cent year-on-year – its eight fiscal year since being founded. It designs and makes "all-foam bed-in-a-box mattresses," a commodity that was seemingly in demand as people looked to make their homes more comfortable while under extended COVID lockdowns.

The German company operates in 18 countries including the US and China, and says it has won 75 awards for its sleep products.

Emma Sleep Company noted that it could answer all of our questions while police investigations continue.

A spokesperson at the ICO - Britain's data watchdog - said: "People have the right to expect that organisations will handle their personal information securely and responsibly.

"Emma, the sleep company has made us aware of an incident and we are assessing the information provided." ®


Other stories you might like

  • Researchers find 134 flaws in the way Word, PDFs, handle scripts
    ‘Cooperative mutation’ spots problems that checking code alone will miss

    Black Hat Asia Security researchers have devised a tool that detects flaws in the way apps like Microsoft Word and Adobe Acrobat process JavaScript, and it's proven so effective they've found 134 bugs – 59 of them considered worthy of a fix by vendors, 33 assigned a CVE number, and 17 producing bug bounty payments totaling $22,000.

    The tool is named "Cooper" – a reference to the "Cooperative mutation" technique employed by the tool.

    Speaking at the Black Hat Asia conference in Singapore, PhD student Xu Peng of the Chinese Academy of Sciences – one of the tool's co-authors – explained that the likes of Word and Acrobat accept input from scripting languages. Acrobat, for example, allows JavaScript to manipulate PDF files.

    Continue reading
  • Microsoft Azure developers targeted by 200-plus data-stealing npm packages
    Another day, another attack on the software supply chain

    A group of more than 200 malicious npm packages targeting developers who use Microsoft Azure has been removed two days after they were made available to the public.

    Security firm JFrog on Wednesday said that earlier this week its automated analysis system began raising the alarm about dubious uploads to the npm Registry, the most popular public source of software libraries for the JavaScript ecosystem. This group of packages grew from about 50 to at least 200 by March 21.

    "After manually inspecting some of these packages, it became apparent that this was a targeted attack against the entire @azure npm scope, by an attacker that employed an automatic script to create accounts and upload malicious packages that cover the entirety of that scope," observed security researchers Andrey Polkovnychenko and Shachar Menashe in a write-up. "Currently, the observed malicious payload of these packages were PII (Personally identifiable information) stealers."

    Continue reading
  • JavaScript library updated to wipe files from Russian computers
    Package used by big apps now drops anti-war text files on desktops

    The developer of JavaScript library node-ipc, which is used by the popular vue.js framework, deliberately introduced a critical security vulnerability that, for some netizens, would destroy their computers' files.

    Brandon Nozaki Miller, aka RIAEvangelist on GitHub, created node-ipc, which is fetched about a million times a week from the NPM registry, and is described as an "inter-process communication module for Node, supporting Unix sockets, TCP, TLS, and UDP."

    It appears Miller intentionally changed his code to overwrite the host system's data, then changed the code to display a message calling for world peace, as a protest against Russia's invasion of Ukraine. GitHub on Wednesday declared this a critical vulnerability tracked as CVE-2022-23812.

    Continue reading

Biting the hand that feeds IT © 1998–2022