Emma Sleep Company confirmed that it was hit by a Magecart attack which allowed hackers to steal customer's credit card and debit card data from the company website. The customers were told about the attack via emails last week. The company mentioned "subject to a cyberattack leading to the theft of personal data" but didn't specify in the message the date of breach incident. The attack was sophisticated, targeting checkout process of the company website and stealing personal information, including credit card data, whether the customer made a purchase doesn't matter.
It is believed to be a Magecart attack, as suggested by the Adobe Magento e-commerce platform.
"Currently there is "no evidence" personal or payment data has been abused in the wild, the company said to customers in the email. Nevertheless, it advised them to contact their banks or credit card provider and "follow their advice," and check for unusual or suspicious activity," reports The Register.
The Magecart attack has affected customers across 12 countries, associated with a malicious code that was attached to checkout pages that skimmed card data from a user's browser.
The attack was targeted, and the hacker made copy-cat URLs according to the needs. According to the mattress company, it is positive that the digital platforms were upto date with the latest security fixes.
In a famous Magecart attack that happened in 2018 where it exposed 40 million British Airways customers' data (it was fined €20m for the act), it used shady skimming techniques to extract credit cards and debit cards credentials. The hackers get access to the site either via third-party apps or directly, and deploy malicious JavaScript which is responsible for stealing the information.
The company admits that the security measures had been implemented in an effective way, in accordance with the Javascript code implementation and dynamically loaded from the hacker's server and via highly advanced escape techniques to evade detection, and also plan out countermeasures to avoid analysis. Hence, the technology that kept track of scripts in the web pages couldn't identify it.
"In February this year, Adobe issued two out-of-bounds patches in a single week when critical security bugs affecting its Magento/Adobe Commerce product emerged, with the vendor warning the vulns were being actively exploited," reports the Register.