VisionDirect Data Breach Caused by MageCart Attack
By Lawrence Abrams
Published: 2018-11-19 · Archived: 2026-04-02 11:39:08 UTC
VisionDirect, a popular contact lens online merchant in Europe, has posted an advisory stating that their web site had a data
breach that led to the theft of credit card and account information.
According to the notification, account and payment information entered on the site between November 3rd and November
8th could have been captured and sent to attackers. This data includes all account information such as billing addresses,
phone numbers, and credit card information. 
"The personal information was compromised when it was being entered into the site and includes full name, billing address,
email address, password, telephone number and payment card information, including card number, expiry date and CVV,"
stated the advisory.
https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/
Page 1 of 5

https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/
Page 2 of 5

Visit Advertiser websiteGO TO PAGE
VisionDirect stated that Paypal payment credentials would not have been stolen.
This attack only affected visitors who logged into their accounts and entered or updated their account information during the
affected period. Users who simply visited the site or used store billing information would not have been affected.
VisionDirect said they will be contacting all affected customers in the next few days.
Compromise was caused by MageCart script
This data breach was caused by a MageCart attack, which is when attackers add malicious JavaScript to a site that captures
payment and account information when it is entered into a form or submitted. 
In this particular attack, a script was added various VisionDirect domains that pretended to be Google Analytics.
While the script looks very similar to the normal Google Analytics code, the domain g-analytics[.]com is not actually owned
by Google. Instead this domain is owned by the attackers who use it to store the stolen credit card and account information.
Malicious script on VisionDirect pretending to be Google Analytics
Security researcher Willem de Groot told BleepingComputer that he had discovered this domain being used in MageCart
attacks in early September.
"In this case, the breach is related to several payment exfiltration domain that we saw earlier, such as g-statistic .com,
google-anaiytic .com, msn-analytics .com"
De Groot further stated that even though the advisory only mentions visiondirect.co.uk, domains for other countries were
also affected.
While the script is heavily obfuscated, one portion containing a list of strings used by the script was easily decoded. In the
below script you can see various strings that are being monitored such as payment, checkout, admin, login, password,
account, and cart submissions.
https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/
Page 3 of 5

Decoded Strings
Recently we reported on the Infowars.com's online store also being compromised with a MageCart attack. In that attack, the
malicious script was also masquerading as Google Analytics but used the domain google-analyitics[.]org instead. While the
attack method is similar, the script itself is quite different.
When BleepingComputer asked De Groot if there was any connection between these attackers and the one who targeted
InfoWars, he said there was no way to conclude that they were same group.
"Could be, but I have not found other commonalities so far," De Groot told BleepingComputer. "They certainly use different
type of malware. Sorry, I see it would be nice if you could link them up. But cannot say for sure."
Alex Jones, the owner of Infowars, felt that his attackers were Communist China, "Big Tech", and the U.S. Democratic
party.
BleepingComputer has contacted VisionDirect regarding this breach, but had not heard back at the time of this publication.
Automated Pentesting Covers Only 1 of 6 Surfaces.
https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/
Page 4 of 5

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/
https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/
Page 5 of 5