{ "id": "5f36e25e-4cfd-4cc8-8476-8a21405a80cc", "created_at": "2026-04-06T00:13:49.858449Z", "updated_at": "2026-04-10T13:12:02.663242Z", "deleted_at": null, "sha1_hash": "ae88a28c39416fbe5ae48a7885044b12c339ff1c", "title": "Web skimmers found on the websites of Intersport, Claire's, and Icing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 215449, "plain_text": "Web skimmers found on the websites of Intersport, Claire's, and\r\nIcing\r\nBy Written by Catalin Cimpanu, ContributorContributor June 15, 2020 at 1:01 a.m. PT\r\nArchived: 2026-04-05 15:47:38 UTC\r\nSecurity\r\nHacker groups that engage in web skimming (also known as Magecart) attacks have breached the web stores of\r\ntwo of the world's biggest retail chains -- accessories store Claire's and sporting goods retailer Intersport.\r\nAccording to reports published today by security firms Sanguine Security and ESET, hackers breached the two\r\ncompanies' websites and hid malicious code that would record payment card details entered in checkout forms.\r\nClaire's and Icing\r\nAccording to Sanguine Security's Willem de Groot, the Claire's website was compromised between April 25 and\r\nJune 13, and so was sister-site Icing.\r\n\"The injected code would intercept any customer information that was entered during checkout, and send it to the\r\nclaires-assets.com server,\" de Groot wrote today in a report shared with ZDNet, where claires-assets.com was a\r\ndomain they registered four weeks before for the special purpose of executing this attack.\r\nDe Groot said he contacted Claire's management at the time of the attack, and the company removed the malicious\r\ncode from their site.\r\nClaire and Icing users who shopped online during the above-listed interval are advised to keep an eye out on their\r\ncard statements for unauthorized transactions and lock their cards and work with their banks if they spot anything\r\nhttps://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/\r\nPage 1 of 2\n\nsuspicious.\r\n\"We are working diligently to determine the transactions that were involved so that we can notify those\r\nindividuals,\" a Claire's spokesperson told ZDNet today. \"Cards used in our retail stores were not affected by this\r\nissue. We have also notified the payment card networks and law enforcement. The payment card network rules\r\ngenerally provide that cardholders are not responsible for unauthorized charges that are timely reported. We regret\r\nthat this occurred and apologize to our customers for any inconvenience caused.\"\r\nIntersport\r\nA similar incident was also detailed today by antivirus maker ESET, impacting the website of Intersport, one of\r\nEurope's largest sporting goods retail chains, with more than 5,800 stores across the continent.\r\nThe skimmer wasn't loaded on all versions of the Intersport website, but only on the local versions serving\r\ncustomers in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina.\r\nAccording to de Groot, who also looked into the Intersport incident, the company's stores got hacked on April 30,\r\ncleaned on May 3, and then hacked again on May 14. ESET said the company removed the malicious code within\r\nhours after being notified of the latest hack.\r\nCustomers who made purchases on the impacted Intersport websites should contact their card company and\r\nmonitor statements for fraudulent purchases.\r\nHowever, In a statement provided to ZDNet and also published on the company's website, Intersport admitted to\r\nthe incident but said that \"no payment card information were intercepted.\"\r\nBoth the Claire's and Intersport incidents took place during the coronavirus (COVID-19) pandemic when most\r\nphysical stores had been closed, and the companies redirected users toward their online sites for product\r\npurchases.\r\nArticle updated on June 15, 11:50 am ET with statement from Claire's, and again on June 18, 05:40am with\r\nstatement from Intersport.\r\nThe FBI's most wanted cybercriminals\r\nSecurity\r\nSource: https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/\r\nhttps://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/" ], "report_names": [ "web-skimmers-found-on-the-websites-of-intersport-claires-and-icing" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434429, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae88a28c39416fbe5ae48a7885044b12c339ff1c.pdf", "text": "https://archive.orkl.eu/ae88a28c39416fbe5ae48a7885044b12c339ff1c.txt", "img": "https://archive.orkl.eu/ae88a28c39416fbe5ae48a7885044b12c339ff1c.jpg" } }