{ "id": "e3815d4a-8e55-4d72-a6dd-8c2c0546a0e9", "created_at": "2026-04-06T00:15:43.631712Z", "updated_at": "2026-04-10T03:24:11.913642Z", "deleted_at": null, "sha1_hash": "c8c746d9e8d70884b7fd270e6060c7084dad8196", "title": "Lockdown: Stores closed, online stores hacked", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 525199, "plain_text": "Lockdown: Stores closed, online stores hacked\r\nBy Sansec Forensics Team\r\nArchived: 2026-04-05 14:44:20 UTC\r\nSurge in online commerce is a boon to payment thieves.\r\nWhile an international retail chain closed its physical stores, attackers hacked its online presence, Sansec research\r\nshows. Following common Magecart malpractice, payment skimmers were injected and used to steal customer\r\ndata and cards.\r\nTimeline\r\nClaire's, a fashion retailer, closed all of its 3000 brick \u0026 mortar stores worldwide on March 20th. The next day, the\r\ndomain claires-assets.com was registered by an anonymous party:\r\n Domain Name: CLAIRES-ASSETS.COM\r\n Registrar URL: http://www.namecheap.com\r\n Creation Date: 2020-03-21T21:26:17Z\r\n Registrant Name: WhoisGuard Protected\r\nFor the next 4 weeks, Sansec did not observe suspicious activity. But in the last week of April, malicious code was\r\nadded to the online stores of Claire's and its sister brand Icing. The injected code would intercept any customer\r\ninformation that was entered during checkout, and send it to the claires-assets.com server. The malware was\r\npresent until June 13th.\r\nhttps://sansec.io/research/magecart-corona-lockdown\r\nPage 1 of 3\n\nAnalysis of the __preloader skimmer\r\nThe malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so\r\nthere is no \"Supply Chain Attack\" involved, and attackers have actually gained write access to the store code. Here\r\nis the heavily obfuscated copy:\r\nDecoding this reveals the following malware:\r\nThe skimmer attaches to the submit button of the checkout form. Upon clicking, the full \"Demandware Checkout\r\nForm\" is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the\r\n__preloader identifier. The image is located on the server as controlled by the attacker. Because all of the\r\ncustomer submitted data is appended to the image address, the attacker now has received the full payload.\r\nImmediately, the image element is removed.\r\nWe suspect that attackers have deliberately chosen an image file for exfiltration, because image requests are not\r\nalways monitored by security systems.\r\nA sample exfiltration request, containing the base64 encoded customer payment data, looks like this:\r\nhttps://claires-assets.com/on/demandware.static/-/Library-Sites-claires-library/default/dw2560e81d/images/clair\r\nhttps://sansec.io/research/magecart-corona-lockdown\r\nPage 2 of 3\n\nThe timeline may indicate that attackers anticipated a surge in online traffic following the lockdown. The period\r\nbetween exfil domain registration and actual malware suggests that it took the attackers a good 4 weeks to gain\r\naccess to the store.\r\nThe actual root cause is as of yet unknown. Possible causes are leaked admin credentials, spearphishing of staff\r\nmembers and/or a compromised internal network.\r\nMagecart \u0026 Salesforce Commerce Cloud\r\nThe affected stores are hosted on the Salesforce Commerce Cloud, previously known as Demandware. This is a\r\nhosted eCommerce platform that serves some of the biggest stores globally. While the actual root cause is yet\r\nunknown, it is unlikely that the Salesforce platform got breached or that Salesforce is responsible for this incident.\r\nSansec monitors all global eCommerce platforms for security incidents. Previously compromised stores that use\r\nthe Salesforce platform are UK outlet Sweaty Betty in November and Hanna Andersson in September.\r\nClaire's response\r\nAfter we notified them, Claire's management has quickly responded. They let us know:\r\nClaire’s cares about protecting its customers’ data. On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified\r\nthe unauthorized insertion of code to our e-commerce platform designed to obtain payment card data\r\nentered by customers during the checkout process. We removed that code and have taken additional\r\nmeasures to reinforce the security of our platform. We are working diligently to determine the\r\ntransactions that were involved so that we can notify those individuals. Cards used in our retail stores\r\nwere not affected by this issue. We have also notified the payment card networks and law enforcement.\r\nIt is always advisable for cardholders to monitor their account statements for unauthorized charges. The\r\npayment card network rules generally provide that cardholders are not responsible for unauthorized\r\ncharges that are timely reported.\r\nRead more\r\nMass PolyShell attack wave hits 471 stores in one hour\r\nNovel WebRTC skimmer bypasses security controls at $100+ billion car maker\r\nPolyShell: unrestricted file upload in Magento and Adobe Commerce\r\nDigital skimmer hits global supermarket chain\r\nBuilding a faster YARA engine in pure Go\r\nSource: https://sansec.io/research/magecart-corona-lockdown\r\nhttps://sansec.io/research/magecart-corona-lockdown\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://sansec.io/research/magecart-corona-lockdown" ], "report_names": [ "magecart-corona-lockdown" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434543, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c8c746d9e8d70884b7fd270e6060c7084dad8196.pdf", "text": "https://archive.orkl.eu/c8c746d9e8d70884b7fd270e6060c7084dad8196.txt", "img": "https://archive.orkl.eu/c8c746d9e8d70884b7fd270e6060c7084dad8196.jpg" } }