The malicious code was detected by a security researcher from RapidSpike who noted that the code was inserted into the fashion retailer's website sometime before October 23 and continues to skim payment card details from the checkout page as no action has been taken by Sixth June even after being informed about the threat.
The researcher also told Bleeping Computer that hackers used a fake Google Tag Manager snippet to hide the malicious activity and that the skimming code captured details like name of cardholders, card numbers, expiration dates, and CVV numbers- all details necessary to carry out an unauthorised online purchase.
Formjacking attack targeting Sixth June skimmed personal details of customers as well
His analysis also revealed that the skimming code captured additional details from the checkout page such as usernames and passwords, email addresses, address details, and phone numbers, thereby allowing a hacker to gain access to customer accounts and make certain modifications.
According to Sixth June's payment terms, customers residing in France, Belgium, Cyprus, Denmark, Estonia, Finland, Germany, Ireland, Lithuania, Luxembourg, Monaco, Netherlands, Norway, Portugal, Russia, Saint-Marin, Slovakia, Slovenia, Spain, Sweden, Switzerland, and United Kingdom can use credit cards to make purchases on its website and that cards issued by both Visa and Mastercard are accepted.
Sixth June isn't the only e-commerce website that has been targeted by hackers using card-skimming malware to obtain payment card information of customers. According to Sanguine Security Labs, an Amsterdam-based e-commerce fraud protection service, hackers used card-skimming malware to target as many as 962 e-commerce websites in July alone. All these websites used the Magento e-commerce shopping platform.
Recently, the UK's National Cyber Security Centre claimed that it had successfully taken down 1,102 cyber attacks that ran skimming codes to capture credit card transaction details from e-commerce websites that used Magento's services.
"Reports vary but an estimated 5,500 online stores get formjacked each month. That’s because formjacking is relatively easy to implement, hard to detect and provides a very lucrative revenue stream for the perpetrators," RapidSpike noted.
"The data that’s skimmed or stolen is then sold on the dark web. Figures vary but the data formjacked from the British Airways site has been reportedly sold for as much as $50 per record ($50 x 380,000 = $19,000,000)," the firm said.
Magecart targeting thousands of websites with formjacking attacks
"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK," the firm revealed.
According to RiskIQ, hackers from Magecart used only 22 lines of script to modify a large number of scripts on the British Airways' website and then exploited the modifications to extract information from payment forms and transfer such information to their own server. The hackers also used an unique infrastructure to carry out the attack and purposely targeted scripts that would blend in with normal payment processing to avoid detection.
"This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer," the firm added.
According to the firm, Magecart has been active at least since 2015 and constantly targets major companies using tried-and-tested skimming tactics. Aside from British Airways, Newegg, and TicketMasterUK, the group successfully targeted Home Depot and Target as well to obtain payment card information of a large number of people.
Commenting on the running of skimming code on Sixth June's website by hackers, Jonathan Deveaux, head of enterprise data protection at comforte AG, said that the intrusion should put the fashion and retail sector on high alert and their security teams should be on full alert for Magecart skimming attacks.
"Companies can improve their webpage monitoring, file integrity checking, and blocking of untrusted external sources to defend against this type of sophisticated attack. Additionally, organisations can deploy data-centric security, which can anonymize sensitive data at its earliest point of entry into their enterprise, which is a major step to dramatically reduce risks associated with data breaches and sensitive data exfiltration," he added.