Though there is no evidence that shows the abuse of the stolen data in the wild, the company has advised customers to contact their credit card companies and banks and monitor their accounts for suspicious activity following visits to Emma’s checkout page.
Details of the Magecart Attack
Speaking to The Register, an Emma spokesperson stated that the company suffered a “sophisticated, targeted” cyberattack. However, the spokesperson did not confirm when it discovered the attack. The attack affected Emma customers in 12 countries. The hackers apparently added a malicious piece of code to checkout pages that enabled them to steal credit and debit card information from within the victim’s browser. In the email to its customers, Emma said: “This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not.”
Attackers Circumvented Emma’s Security Measures
The company added that despite its website being up-to-date with the relevant security fixes, the hackers managed to get around its security measures. It said its security measures were “circumvented in a technically advanced way by how the Javascript code was implemented and loaded dynamically from the attacker’s server and through highly sophisticated evasion techniques to avoid detection, as well as elaborate countermeasures to (unsuccessfully) prevent analysis, which is why the technology we had in place to keep track of scripts added to the page did not detect it.” Consequently, the company has deployed additional capabilities to detect these kinds of attacks. It is also “in the process of implementing new CORS and CSP headers.”
Statements from Emma CEO
According to Emma CEO Dennis Schmoltzi, the attack took place sometime between January 27 and March 22 this year. Schmoltzi also provided more information on the types of data stolen and Emma’s response to the attack. “Personal customer information, including credit card data, was stolen. While we never process or store credit card data ourselves, the type of attack was redirecting information as it was typed into form fields in the browser of the user. As of today, we are not aware of any successful abuse of this data,” Schmoltzi said. “As soon as we became aware of this attack, we took immediate action to remove the threat and ensure the security of data, launched a full investigation, and reported this to the relevant authorities, including the police. We also directly contacted all those customers who may have been affected,” he added. As cyberattacks continue to plague e-commerce and other businesses worldwide, we recommend checking out our article on how countries around the world are dealing with online fraud.