# VisionDirect Data Breach Caused by MageCart Attack **[bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/](https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) November 19, 2018 01:59 PM 0 VisionDirect, a popular contact lens online merchant in Europe, has posted an advisory stating that their web site had a data breach that led to the theft of credit card and account information. According to the notification, account and payment information entered on the site between November 3rd and November 8th could have been captured and sent to attackers. This data includes all account information such as billing addresses, phone numbers, and credit card information. "The personal information was compromised when it was being entered into the site and includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV," stated the [advisory.](https://www.visiondirect.co.uk/customer-data-theft) VisionDirect stated that Paypal payment credentials would not have been stolen. This attack only affected visitors who logged into their accounts and entered or updated their account information during the affected period. Users who simply visited the site or used store billing information would not have been affected. VisionDirect said they will be contacting all affected customers in the next few days. ----- ## Compromise was caused by MageCart script This data breach was caused by a MageCart attack, which is when attackers add malicious JavaScript to a site that captures payment and account information when it is entered into a form or submitted. In this particular attack, a script was added various VisionDirect domains that pretended to be Google Analytics. That's exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analytics[.]com/libs/1.0.16/analytics.js – you can view a copy of the JS via the [@urlscanio archive of](https://twitter.com/urlscanio?ref_src=twsrc%5Etfw) [https://t.co/TV22dxvCcK](https://t.co/TV22dxvCcK) [https://t.co/SFi5Wp4gm3](https://t.co/SFi5Wp4gm3) [pic.twitter.com/rY13cMR2TL](https://t.co/rY13cMR2TL) [— Bad Packets Report (@bad_packets) November 18, 2018](https://twitter.com/bad_packets/status/1064077688938229760?ref_src=twsrc%5Etfw) While the script looks very similar to the normal Google Analytics code, the domain ganalytics[.]com is not actually owned by Google. Instead this domain is owned by the attackers who use it to store the stolen credit card and account information. **Malicious script on VisionDirect pretending to be Google Analytics** [Security researcher Willem de Groot told BleepingComputer that he had discovered this](https://twitter.com/gwillem) domain being used in MageCart attacks in early September. "In this case, the breach is related to several payment exfiltration domain that we saw earlier, such as g-statistic .com, google-anaiytic .com, msn-analytics .com" ----- De Groot further stated that even though the advisory only mentions visiondirect.co.uk, domains for other countries were also affected. It wasn't just UK. Also infected between Nov 3rd and [Nov8th:https://t.co/fQy7WsKmfqhttps://t.co/8JUn9frF9vhttps://t.co/WBCPQOIv46https:/](https://t.co/fQy7WsKmfq) [/t.co/DCyaQzuTkMhttps://t.co/pwfBvDWZDzhttps://t.co/q9of3VMPZ5https://t.co/LclCV3](https://t.co/pwfBvDWZDz) [VvHYhttps://t.co/Ouge4ebR7vhttps://t.co/85sRXtC50m](https://t.co/Ouge4ebR7v) [— Willem de Groot (@gwillem) November 18, 2018](https://twitter.com/gwillem/status/1064111214974906371?ref_src=twsrc%5Etfw) While the script is heavily obfuscated, one portion containing a list of strings used by the script was easily decoded. In the below script you can see various strings that are being monitored such as payment, checkout, admin, login, password, account, and cart submissions. **Decoded Strings** [Recently we reported on the Infowars.com's online store also being compromised with a](https://www.bleepingcomputer.com/news/security/infowars-store-affected-by-magecart-credit-card-stealing-hack/) MageCart attack. In that attack, the malicious script was also masquerading as Google Analytics but used the domain google-analyitics[.]org instead. While the attack method is similar, the script itself is quite different. When BleepingComputer asked De Groot if there was any connection between these attackers and the one who targeted InfoWars, he said there was no way to conclude that they were same group. "Could be, but I have not found other commonalities so far," De Groot told BleepingComputer. "They certainly use different type of malware. Sorry, I see it would be nice if you could link them up. But cannot say for sure." Alex Jones, the owner of Infowars, felt that his attackers were Communist China, "Big Tech", and the U.S. Democratic party. ----- BleepingComputer has contacted VisionDirect regarding this breach, but had not heard back at the time of this publication. ### Related Articles: [Microsoft: Credit card stealers are getting much stealthier](https://www.bleepingcomputer.com/news/security/microsoft-credit-card-stealers-are-getting-much-stealthier/) [Caramel credit card stealing service is growing in popularity](https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing-service-is-growing-in-popularity/) [General Motors credential stuffing attack exposes car owners info](https://www.bleepingcomputer.com/news/security/general-motors-credential-stuffing-attack-exposes-car-owners-info/) [Ransomware attack exposes data of 500,000 Chicago students](https://www.bleepingcomputer.com/news/security/ransomware-attack-exposes-data-of-500-000-chicago-students/) [Engineering firm Parker discloses data breach after ransomware attack](https://www.bleepingcomputer.com/news/security/engineering-firm-parker-discloses-data-breach-after-ransomware-attack/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. -----