Cybercrime , Data Loss Prevention (DLP) , Fraud Management & Cybercrime

Magecart Spies Payment Cards From Retailer Vision Direct

Card-Sniffing JavaScript Posed as Google Analytics Script on Retailer's Sites
Magecart Spies Payment Cards From Retailer Vision Direct

I spy with my little eye a data breach.

See Also: Close the Case on Ransomware

Online retailer Vision Direct, which bills itself as being Europe's largest online contact lenses supplier, has been warning customers that it suffered a data breach from Nov. 3 until Nov. 8.

"The personal information compromised includes full name, address, telephone number, email address, password and payment card information," the company says in its data breach notification. "This includes your card number, expiry date and CVV. Unfortunately this information could be used to conduct fraudulent transactions."

Signs of Magecart at Work

Dutch security research Willem de Groot discovered the underlying attack campaign in September. He says it appears to be part of the e-commerce payment form hijacking attacks that are broadly known as Magecart, which have been ascribed to multiple cybercrime groups.

Vision Direct, in its notification, advises all potentially affected customers to change their Vision Direct password as well as to watch their credit card and bank statements for signs of fraud.

Vision Direct didn't immediately respond to a request for comment.

But a copy of the data breach notification that it has been emailing to potentially affected customers, shared by Australian data breach expert Troy Hunt, says that Vision Direct has expunged the attack code from its site and is "working with the authorities to investigate how this theft occurred."

Per the Payment Card Industry Data Security Standard specifications, storing any CVV data - in encrypted form or otherwise - is prohibited. Mikko Hypponen, chief research officer at Finnish cybersecurity firm F-Secure, said the likely modus operandi was attackers using software designed to surreptitiously copy and steal this data.

Troy Mursch of Bad Packets Report says that assessment appears to be true. Using an archived copy of the Vision Direct site, Mursch found a fake Google Analytics script - no doubt planted by attackers - that included the ability to harvest payment card data.

Dutch information security consultant Willem de Groot tells Information Security Media Group that he discovered this attack campaign in early September, well before Vision Direct was hacked. He says the campaign appears to have been running since at least May.

This attack employs a domain called "The domain '' is not owned by Google, as opposed to its legitimate '' counterpart," de Groot says in his September blog post. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor. The malware behaves pretty much like the real Google Analytics, and it wouldn't raise any dev [development] eyebrows while monitoring Chrome's waterfall chart."

The fake Google analytics website was registered on May 31, de Groot tells ISMG, meaning it's likely been used as part of attacks against other sites too. In the bigger picture, meanwhile, "similar domains are in use as exfiltration servers, such as, [and]," he says.

He's ascribed these attacks to Magecart, an umbrella term that he says refers to at least eight cybercrime groups that have collectively waged a prolific series of hack attacks against e-commerce sites that have resulted in thousands of compromised sites (see: Magecart Cybercrime Groups Harvest Payment Card Data).

"For the record, Magecart is an umbrella term for payment form jacking, although some media use it - incorrectly - to identify a specific source," he says. "Based on modus operandi, code patterns and such, there are at least eight distinct groups involved with form-jacking campaigns. And because the exploit toolkits are for sale on the dark web, yet more groups are expected to enter the space."

Attackers Potentially Exploited Unpatched Magento

At the time that Vision Direct was breached, de Groot says the company appears to have failed to install two critical patches for its Magento e-commerce software.


He adds that the Vision Direct breach didn't just affect its UK e-commerce site, but also its online stores that use country code top-level domains for Belgium, France, Ireland, Italy, the Netherlands and Spain (see: InfoWars: Magecart Infection Points to 'Industrial Sabotage').

Vision Direct's Security Promises

Despite being hit by hackers, Vision Direct could see itself in trouble with privacy regulators for having guaranteed that its site is safe (see: GDPR: Data Breach Class Action Lawsuits Come to Europe).

In a security FAQ on its website, the company states: "When you pay online, no one at Vision Direct can see your full card details - just the last four digits of the long number for verification purposes. The https:// at the beginning of the URL verifies that it is a safe transaction."

Vision Direct's security FAQ

"It's probably worthwhile revisiting statements like this after someone has just siphoned off a heap of your customers' credit cards," Hunt says via Twitter.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.