{ "id": "78c5a541-e15a-45e3-90bb-5803f8fcc2c0", "created_at": "2026-04-06T00:17:45.56653Z", "updated_at": "2026-04-10T03:24:11.722704Z", "deleted_at": null, "sha1_hash": "04ac3ed97520232a52d5a19e1f7bba0471ef46ab", "title": "VisionDirect Data Breach Caused by MageCart Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 776624, "plain_text": "VisionDirect Data Breach Caused by MageCart Attack\r\nBy Lawrence Abrams\r\nPublished: 2018-11-19 · Archived: 2026-04-02 11:39:08 UTC\r\nVisionDirect, a popular contact lens online merchant in Europe, has posted an advisory stating that their web site had a data\r\nbreach that led to the theft of credit card and account information.\r\nAccording to the notification, account and payment information entered on the site between November 3rd and November\r\n8th could have been captured and sent to attackers. This data includes all account information such as billing addresses,\r\nphone numbers, and credit card information. \r\n\"The personal information was compromised when it was being entered into the site and includes full name, billing address,\r\nemail address, password, telephone number and payment card information, including card number, expiry date and CVV,\"\r\nstated the advisory.\r\nhttps://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/\r\nPage 1 of 5\n\nhttps://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nVisionDirect stated that Paypal payment credentials would not have been stolen.\r\nThis attack only affected visitors who logged into their accounts and entered or updated their account information during the\r\naffected period. Users who simply visited the site or used store billing information would not have been affected.\r\nVisionDirect said they will be contacting all affected customers in the next few days.\r\nCompromise was caused by MageCart script\r\nThis data breach was caused by a MageCart attack, which is when attackers add malicious JavaScript to a site that captures\r\npayment and account information when it is entered into a form or submitted. \r\nIn this particular attack, a script was added various VisionDirect domains that pretended to be Google Analytics.\r\nWhile the script looks very similar to the normal Google Analytics code, the domain g-analytics[.]com is not actually owned\r\nby Google. Instead this domain is owned by the attackers who use it to store the stolen credit card and account information.\r\nMalicious script on VisionDirect pretending to be Google Analytics\r\nSecurity researcher Willem de Groot told BleepingComputer that he had discovered this domain being used in MageCart\r\nattacks in early September.\r\n\"In this case, the breach is related to several payment exfiltration domain that we saw earlier, such as g-statistic .com,\r\ngoogle-anaiytic .com, msn-analytics .com\"\r\nDe Groot further stated that even though the advisory only mentions visiondirect.co.uk, domains for other countries were\r\nalso affected.\r\nWhile the script is heavily obfuscated, one portion containing a list of strings used by the script was easily decoded. In the\r\nbelow script you can see various strings that are being monitored such as payment, checkout, admin, login, password,\r\naccount, and cart submissions.\r\nhttps://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/\r\nPage 3 of 5\n\nDecoded Strings\r\nRecently we reported on the Infowars.com's online store also being compromised with a MageCart attack. In that attack, the\r\nmalicious script was also masquerading as Google Analytics but used the domain google-analyitics[.]org instead. While the\r\nattack method is similar, the script itself is quite different.\r\nWhen BleepingComputer asked De Groot if there was any connection between these attackers and the one who targeted\r\nInfoWars, he said there was no way to conclude that they were same group.\r\n\"Could be, but I have not found other commonalities so far,\" De Groot told BleepingComputer. \"They certainly use different\r\ntype of malware. Sorry, I see it would be nice if you could link them up. But cannot say for sure.\"\r\nAlex Jones, the owner of Infowars, felt that his attackers were Communist China, \"Big Tech\", and the U.S. Democratic\r\nparty.\r\nBleepingComputer has contacted VisionDirect regarding this breach, but had not heard back at the time of this publication.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/\r\nhttps://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/" ], "report_names": [ "visiondirect-data-breach-caused-by-magecart-attack" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434665, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04ac3ed97520232a52d5a19e1f7bba0471ef46ab.pdf", "text": "https://archive.orkl.eu/04ac3ed97520232a52d5a19e1f7bba0471ef46ab.txt", "img": "https://archive.orkl.eu/04ac3ed97520232a52d5a19e1f7bba0471ef46ab.jpg" } }