A former employee of Yahoo has been sentenced and ordered to pay a fine after exploiting his privileged access to hack into the personal accounts of thousands of Yahoo users, in his hunt for naked photographs and videos of young women.

As we previously reported, 34-year-old Reyes Daniel Ruiz, of Tracy, California, admitted last year that he had cracked account passwords and abused internal systems at Yahoo, copying stolen explicit images and videos onto a personal hard drive at his home.

Amongst Ruiz’s more than 6000 victims were personal friends and work colleagues,

And, having breached Yahoo email acccounts, Ruiz took advantage of the situation to also break into Dropbox, Facebook, Gmail, Hotmail, Apple iCloud, and PhotoBucket accounts – after requesting password resets from the third-party sites be sent to the victim’s registered email address at Yahoo.

As ZDNet reports, court documents reveal that Yahoo Mail engineers were alerted to suspicious account activity on June 21 2018.

Ruiz became aware on the same day that his activities had been uncovered, and left work early to destroy evidence at his home – including the hard drive storing images, and a list of future intended victims he planned to hack.

On August 24 2018, the FBI searched Ruiz’s residence, and the by-now-dismissed software engineer admitted he had destroyed evidence, and that he had done so in an attempt to avoid prosecution.

That admission was a sensible decision by Ruiz, because a US court has decided that he will not have to serve any jail time for the hack.

Under normal circumstances, Ruiz could have faced up to five years in prison and a $250,000 fine. Instead he has been sentenced to probation and home confinement for five years, and ordered to pay a $5,000 fine and $118,456 in restitution to the hacked email provider.

Presumably, it also played in Ruiz’s favour that he had never been in trouble with the law before, had not distributed the stolen naked images and videos, had made not attempt to contact his victims, and purely used the material for “his own self-gratification.”

Nonetheless, that’s no excuse or waiver for what Ruiz did, and for the distress which his victims must have experienced when they discovered they had fallen victim to his plot.

Although there will be some who will feel that Ruiz should serve a jail sentence for what he did, and it’s understandable that his victims might feel rightly outraged that his sentence means he has avoided incarceration, reading his sentencing memorandum gave me the impression that his actions had already resulted in significant hardship.

Ruiz has only managed to get temporary, low-paid employment since he was dismissed by Yahoo, and his finances appear to be in dire straits. If he hadn’t cooperated with the authorities, or had shared the images online this story might have had a very different ending.

Hopefully this case will act as a warning to others – if you have an urge to see naked pictures and explicit videos of people, there are plenty of places you can find them legally on the internet. You don’t need to put your career and liberty at risk by hacking into innocent people’s accounts.

Follow me for more information.

Hackers hijack Twitter account of Russia's Ministry of Foreign Affairs, offer to sell stolen data

Hackers hijack Twitter account of Russia's Ministry of Foreign Affairs, offer to sell stolen data

Normally the official Twitter account of Russia’s Foreign Ministry’s Crisis Management Centre does not make for the most fascinating read.

Normally @MID_travel simply retweets messages from other Russian government departments or embassies, as it offers advice on how Russian citizens can remain safe abroad.

But on July 2nd, the account was compromised by hackers who posted the following message:

MID tweet hacked

MID tweet hacked

Now, I don’t speak Russian but I’m reliably informed that whoever posted the tweet is An advertisement was published, is offering a database for sale – containing details of tourist payments made during June 2020 to the Public Services Portal of the Russian Federation.



Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Anyone interested in purchasing the database is invited to pay the tidy sum of 66 bitcoins (approximately US $499,000).

Of course, simply posting that message to a Russian government Twitter account is no proof that the hackers have access to the information they claim, and no guarantee that anyone paying the substantial amount of money will find themselves in receipt of stolen data.

Russia’s Foreign Ministry’s Crisis Management Centre has since deleted the tweet and posted a follow-up (thankfully translated courtesy of Google), debunking the claims of a data breach.

Announcement post-hack

Announcement post-hack

A database may or may not have been stolen, but there’s no doubt that an official verified Russian government Twitter account was accessed by an unauthorised party. Most likely that may be the result of a successful phishing attack, or someone making the mistake of reusing a password.

Enabling two-factor authentication on Twitter would definitely be a good idea.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

How to protect your Roblox account from hackers with two-step verification (2SV)

How to protect your Roblox account from hackers with two-step verification (2SV)

Accounts on the popular online gaming platform keep getting hacked. So, how can you better protect your Roblox account?

First things first. Make sure that you are using a unique, hard-to-crack password for your Roblox account. That means not using a simple, easy-to-guess password, dictionary words, or passwords that you are using anywhere else online.

That last point is particularly important, perhaps the biggest mistake internet users make when it comes to securing their accounts is to use the same password in multiple places. Reusing passwords across different services means that if a hacker breaches one website’s password database they can then use those passwords to see if they unlock your other online accounts.

For instance, Mark Zuckerberg had his Twitter, LinkedIn, Instagram and Pinterest accounts hacked in 2016 because he was using the same password for them as he’d been using on LinkedIn, which suffered a password breach in 2012.

But choosing a unique, strong, password isn’t enough. That password could still be phished from you, for instance.

And that’s why I recommend that computer users enable two-factor authentication or two-step verification (read this if you want to know the difference) where available, to add an extra step to the login process.



Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

How to enable two-step verification (2SV) for your Roblox account

Having logged into your Roblox account from a desktop or laptop computer, click on the cog in the upper-right hand corner of the screen and choose “Settings”.

Roblox cog

Roblox cog

Choose the “Settings” tab, and enable “2 Step Verification”.

Roblox settings

Roblox settings

Note that if you haven’t already done so, you will need to give Roblox an email address (and verified it) before enabling two-step verification. The reason why Roblox requires this will become clear in a moment.

Your account is now protected.

Roblox 2sv enabled

Roblox 2sv enabled

Next time you attempt to log into Roblox, the site will ask you for not just a username and password, but also a six digit code.

Roblox verification dialog

Roblox verification dialog

This is the reason why Roblox requires you to give it a verified email address. Upon attempting to login, you should have received in your email a message from Roblox containing the temporary verification code.

Roblox verification email

Roblox verification email

Of course, if it wasn’t you trying to access your Roblox account you now have a heads-up that someone else was… and that maybe your username and password have been compromised.

Email-based 2SV, not app-based

Users who are familiar with 2FA and 2SV will notice that there’s a difference between how Roblox has implemented two-step verification and the way that many other online services do it.

Many websites these days offer app-based 2SV where an authenticator app – often running on the user’s smartphone – generates a six digit code to help the user authenticate their identity.

The idea is that a hacker might have managed to grab your password, but they won’t – hopefully – have physical access to your smartphone.

Roblox, unfortunately, does not offer users the option of app-based 2SV. Instead when you attempt to log into an account protected by 2SV, Roblox will send a code to your email address. And that’s the code you enter to complete your login.

That’s certainly better protection than simply defending your Roblox account with a username and password, but it’s not going to be much help if a hacker has also managed to compromise your email account, and so is able to view the verification code that Roblox has just emailed to you.

My guess is that Roblox feels it’s easier to support two-step verification conducted only via email, particularly with a userbase largely made up of youngsters.

But it seems a shame that Roblox is not offering the option of app-based authentication which has been adopted by so many other sites.

Read more about two-factor authentication and two-step verification:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

What do they have in common? The Click2Gov online utility payment system

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Beware if you’re paying your bills for local government services – the payment information you type into that web form may be heading straight to cybercriminals.

Security experts at Trend Micro report that they have identified eight cities in the USA where online payment portals have been compromised to host Magecart-style credit card skimming code.

Magecart is a family of Javascript malware used to steal credit card details and personal information from unsuspecting internet users as they interact with websites – often as sensitive details are entered to make a purchase.

What makes this type of attack often more serious than a conventional data breach, is that most companies do not store your full credit card details, such as your CVV security code. But those details are entered on online checkout forms by consumers, and can be stolen by a malicious script hidden in the website’s code.

As Trend Micro explains, the common factor between the affected websites they have uncovered is that they all use the third-party Click2Gov platform:

These sites all appear to have been built using Click2Gov, a web-based platform meant for use by local governments. It is used to provide services such as community engagement, issues reporting, and online payment for local goverments. Residents can use the platform to pay for city services, such as utilities.

According to the researchers, the attacks against the eight unnamed US cities started in April, when malicious Javascript code was planted on the websites, silently harvesting credit card details and residents’ personal information as they entered it into online payment forms.

Credit card skimming attack chain

Credit card skimming attack chain

Credit card skimming attack chain. Source: Trend Micro.

Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form. No obfuscation or anti-debugging techniques were used. The skimmer hooks the submit event of the payment form; when a victim clicks the button to send the payment information, the skimmer will grab the information from the selected columns inside the payment form and immediately send the collected information to remote server via a HTTP POST request.

Details exfiltrated by the script to a remote server under the hackers’ control included credit card numbers, CVV security codes, card expiry dates, cardholder’s name, address, and postal code.

Simple the skimming code might be, but that doesn’t mean it’s not effective.



Sign up to our newsletterSign up to Graham Cluley’s newsletter – “GCHQ”
Security news, advice, and tips.

Rightly or wrongly, Click2Gov is earning itself a bad reputation. In recent years security researchers have been tracking attacks launched against the Click2Gov payment portal, with reports of breaches involving city websites stretching across the United States and Canada.

Late last year, for instance, the city of College Station admitted its Click2Gov online utility payment system had been hacked for some months, as had the City of Waco’s Click2Gov portal for water bill payments.

The onus is on cities to follow best practices when building and maintaining its online payment systems, ensuring that patches and security updates are applied in a timely fashion and that networks are properly secured.

Meanwhile, other websites with payment forms online would be wise to remember that credit-card skimming attacks are not limited to local governments taking payments from residents.

Magecart-style attacks have been seen hitting a diverse range of victims, including hotel chain booking websites, academic campuses, as well as the likes of Ticketmaster, British Airways, Forbes, Umbro, Vision Direct, and Newegg.

If you’re making online purchases (and hey, these days, who isn’t?) you might want to investigate disposable virtual payment cards, so you’re never exposing your real life credit card to the websites to which you are making a payment. A virtual card could be locked to a single merchant, have a limited amount that can be used in a single payment, or be single-use.

There is more discussion of virtual credit cards in this episode of the “Smashing Security” podcast:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Hackers are once again finding unsecured MongoDB databases carelessly left exposed on the internet, wiping their contents, and leaving a ransom note demanding a cryptocurrency payment for the data’s safe return.As ZDNet reports, ransom notes have been left on almost 23,000 MongoDB databases that were let unprotected on the public internet without a password.Unsecured MongoDB databases being attacked by hackers is nothing new, of course. Over recent years security breaches involving exposed MongoDB installations have occurred on multiple occasions, claiming the scalps of Verizon, OCR software firm ABBYY, dating websites, amongst others.What makes this particular attack more unusual is that the hacker threatens to contact regulatory authorities if the victim does not pay up, to report them for a GDPR violation.In an example shared by ZDNet, the ransom note demanded 0.015 Bitcoins (at current prices approximately US $140) or data would be leaked and the authorities informed.Part of the ransom note, which is in broken English, reads as follows:All of your data is a backed up. You must pay 0.015 BTC to [REDACTED] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server.If you’re unlucky enough to find your MongoDB database wiped by the hacker and replaced by a ransom note, there are an important couple of points to consider:Firstly, will paying the ransom get your data back?Almost certainly not. The hacker may well have accessed 22,900 databases that were not properly secured online, but that’s a very different proposition from actually having successfully exfiltrated what must be a huge amount of data from so many servers. There’s no reason to believe that even if the data was copied by the hacker before it was wiped that they will feel duty bound to return your data to you safely.Secondly, will you be reported for a GDPR violation?Personally I find it hard to imagine that a criminal hacker would make a GDPR complaint against his victims. That’s not to say, of course, that someone else won’t.And that’s a reason, if further reason was ever needed, that everyone running a MongoDB database needs to ensure that they have set it up securely, and not left it open for any Tom, Dick or Hacker to waltz in and cause havoc.Despite MongoDB coming with security features, and providing a checklist for administrators to properly keep their databases out of the reach of unauthorised parties, breaches continue to happen.The tools are there, the information about how to use the tools is available, all that we need is for system administrators to wake up and realise that they need to fix their database security as a matter of priority…. or run the gauntlet of being the next victim of a damaging hack.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Follow me for more information.

One the face of it, it sounded like a good idea.

A smartphone app, disguised as a regular app delivering the top world, sports, and entertainment news, containing a secret feature that allows victims of domestic abuse to send a covert distress call for help at the touch of a button.

That was the idea behind the free Aspire News App, launched some years ago by When Georgia Smiled, a US non-profit founded by Robin McGraw and her husband US TV star “Dr Phil” to help victims of domestic violence and sexual assault.

To be honest, that still sounds like a good idea to me – if the app is coded well, and if any data it collects is properly secured.

But what isn’t a good idea is for voice recordings made by the app to be left exposed on an unsecured Amazon Web Services (AWS) S3 bucket, allowing anyone with internet access to download them and listen if they so wish.

According to security researchers at VPN Mentor, who found the exposed data, over 4,000 voice recordings of emergency messages left by victims of domestic violence were available to access – no password required.

Some of the 230MB worth of recordings included personally identifiable information such as names, home addresses, as well as the identities of violent abusers.

Transcripts of just two of the recordings that were exposed reveal the seriousness of the situation:

“[Full Name] is threatening or hurting me. Please send help now. [Full address]”


“Please call the police right away and have them come to [Full Address]. I am in great danger. I need you to send the police right away, please…”

Potentially, if the information fell into the wrong hands it could not only expose people who did not want the data revealed at the risk of extortion, but it could also put victims in greater physical danger if their abuser found out.

The researchers attempted to reach out to When Georgia Smiled and the Dr. Phil Foundation to get the serious data breach fixed last Wednesday, but ultimately it took the involvement of AWS itself to get the unsecured web bucket shut down.

So, that’s a happy end to the story, right?

Well, perhaps not.

You see, a security failure like this could lead to victims of domestic abuse losing confidence in Aspire News App. If they do not feel safe any longer using the app, they may find it harder to escape abusive relationships safely.

That clearly wasn’t what Dr Phil and his wife Robin McGraw wanted – the Aspire News app was supposed to help people escape dangerous situations, not make it even harder to find a way out.

Follow me for more information.

Industry veterans, chatting about computer security and online privacy.

Smashing Security podcast #184: Vanity Bitcoin wallets, BlueLeaks, and a Coronavirus app conspiracy

Smashing Security podcast #184: Vanity Bitcoin wallets, BlueLeaks, and a Coronavirus app conspiracy

A conspiracy spreads on social media about Coronavirus tracing apps, US police find decades’ worth of sensitive data leaked online, and is there a Bitcoin bonanza to be had from watching Elon Musk YouTube videos?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by BBC technology reporter Zoe Kleinman.


Graham Cluley – @gcluley
Carole Theriault – @caroletheriault


Zoe Kleinman – @zsk

Show notes:

Sponsor: LastPass

LastPass Enterprise makes password security effortless for your organization.

LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.

But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.

Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.

Sponsor: MetaCompliance

People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.

Follow the show:

Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

The activist group Distributed Denial of Secrets, perhaps better known by their shorter but clumsy moniker DDoSecrets, has been permanently banned from Twitter.

The self-declared “transparency collective”, which published leaked and hacked data it claimed was of public interest, earned its banishment from Twitter after it distributed a gigantic collection of sensitive documents related to police and law enforcement across the United States.

As we previously reported, the 270GB data dump (dubbed “BlueLeaks”) contains many years worth of information from over 200 US police departments, FBI reports, and other law enforcement agencies.

As investigative journalist Brian Krebs reports, the data appears to have been exfiltrated following a security breach at web development firm Netsential.

The publication of the data appears to have been deliberately timed by DDoSecrets to coincide with “Juneteenth”, the United States’s national day of commemoration of the ending of slavery, June 19th.

Unfortunately, the group’s haste to release the data in time appears to have overtaken any desire to redact details which could put innocent parties at risk: such as images of suspects in police investigations, banking details, and other personally identifiable information (PII).

There are additionally concerns that the breach could endanger ongoing police investigations, and the lives of law enforcement officers.

And as the dumped data contains information reaching back as far as perhaps the mid-1990s, there is additionally the risk that information may be completely out-of-date.

Speaking to Wired, DDOSecrets founder Emma Best admitted that the group had probably failed to redact all information related to crime victims, children, and unrelated private businesses:

“Due to the size of the dataset, we probably missed things. I wish we could have done more, but I’m pleased with what we did and that we continue to learn.”

That’s a startling admission of failure. More clearly could have been done, but from the sound of things DDoSecrets and its supporters were working to too tight a deadline.

And clearly Twitter was not impressed to see the dissemination of the hacked data, which is in conflict with its policies.

Having been criticised in the past for its tardy response in banning other hacking groups, such as The Dark Overlord, DC Leaks, and Guccifer 2.0, Twitter clearly felt it couldn’t stand silent while the BlueLeaks data leak was being so overtly disseminated on its platform.

Such a ban, however, may not silence DDoSecrets permanently. Don’t be surprised if they pop up again, in a new guise, to share stolen secrets on Twitter.

Follow me for more information.

Stalker Online hacked! Over one million gamers' details put on sale

Stalker Online hacked! Over one million gamers' details put on sale

More than one million players of the video game Stalker Online have been put at risk after hackers offered them for sale on the darknet.

As Cybernews reports, a database containing over 1.2 million Stalker Online user records is being sold on hacking forums. Separately, another database which is said to contain more than 136,000 records from the game’s forums are also being offered for sale.

Cybernews says it found the database for sale on a popular hacking forum on May 5, with a link to a defaced page on the Stalker Online website offered as “proof” that the game’s servers had been hacked.

Defaced webpage

Defaced webpage

Defaced Stalker Online webpage: Source: Cybernews.

The security of this web server has been compromised and all your files and userdata are now in our possession.

Contact us on [REDACTED] for assistance in securing your web server. If not reach within 24 hours – data gathered will be posted publicly for all to download

Of course, a defaced webpage is not evidence of a data breach. Controversially, Cybernews purchased the user database from the hacker, and says that it was able to confirm that the samples of the Stalker Online database “are genuine and the email addresses therein are deliverable.”

Purchasing stolen data from cybercriminals makes me extremely uncomfortable. It could be argued that anyone purchasing hacked databases – whether it by security researchers, journalist, or criminal fraudsters – are encouraging further hacks to occur by generating a demand for more stolen data.

The database, which is being offered for sale for “several hundred Euros worth of Bitcoins”, contains 1,289,084 Stalker Online player records, including usernames, account passwords, email addresses, phone numbers, and IP addresses.

Passwords are MD5 hashed and salted, which is certainly better than if they were held in plaintext, but such a weak algorithm may not present much of a challenge to criminals determined to crack them.

Cybernews says that it contacted the ecommerce platform that was hosting the hacker’s online store, and it has now been taken offline. However, that’s no guarantee that it will not be offered for sale elsewhere, or that anyone else might have purchased the database.



Sign up to our newsletter
Security news, advice, and tips.

So, players of the free-to-play MMORPG, set in a post-apocalyptic world, should really consider their details are now compromised. Hackers may have not only your username, email address, and phone number. They may also have cracked your password.

And if you made the mistake of reusing that password anywhere else on the internet, then there is a chance they could use that information to compromise your other online accounts.

Furthermore, you should obviously be aware that you might be targeted with phishing attacks, exploiting the information contained inside the database.

According to Cybernews, the makers of Stalker Online have not responded to messages related to the security reach.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

58-year-old Danielle Bulley may not look like your typical cybercriminal, but the act of revenge she committed against a company had just as much impact as a conventional hacker breaking into a business’s servers and causing havoc.

As North Yorkshire police report, Bulley has been successfully prosecuted under the UK’s Computer Misuse Act after deleting thousands of important files from a company that went on to collapse.

Once upon a time, Bulley was a director of a business called Property Press that produced a weekly property newspaper focused on south east Devon.

At some point things turned sour, and Bulley resigned her position at the firm in 2018 before the company went into liquidation. However, fellow director Alan Marriott started a new business venture – without Bulley’s involvement – using the assets of the old firm.

Things clearly didn’t sit well with Bulley after her departure from the business, and several months after her resignation she managed to gain unauthorised access to the new company’s Dropbox account.

More than 5,000 documents were permanently erased, and the company claimed that the damage to business was so great that it could no longer operate, with people losing their jobs and a loss of almost £100,000.

Unable to continue to operate, the business was forced to close down.

When specialist police from North Yorkshire Police’s Cyber Crime Unit investigated, they discovered that the Dropbox account had been remotely accessed from an IP address associated with Danielle Bulley.

Under questioning, Bulley admitted that she had deleted the files, claiming that she believed she was entitled to do so, but knowing that it would cause chaos the business.

Detective Constable Steven Harris of the Cyber Crime Unit warned other companies of the threat which can be posed by former employees:

“Bulley’s actions had dire consequences for people’s livelihood. During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic for the victim. It dealt the new business a blow from which it never recovered.”

“Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.”

Sentencing Bulley to an 18-month community order with 80 hours’ unpaid work, Judge Simon Hickey said: “It was done in revenge. She was a respectable woman, but had lost her good character.”

If someone is leaving your company, especially if they are quitting your firm under something of a cloud, you would be wise to check that they don’t know your business’s passwords or have retained access to sensitive information.

Passwords should be changed, and additional authentication methods should be in place to prevent unauthorised access. Dropbox, for instance, provides a two-step verification feature which all users would be wise to enable.

And if you believe you have been wronged by a former employer do not make the mistake of thinking your anger should be directed towards them through some criminal action. You may feel that you have not been fairly treated, but you will feel much worse if you end up with a criminal conviction.

Follow me for more information.

On March 20th, the Claire’s accessories retail chain beloved by young girls around the world made the sensible decision to close all of its physical stores in response to the Coronavirus Covid-19 pandemic.

Anyone wanting to purchase costume jewellery, make-up, or hair accessories would have to not take a trip to the shopping mall, but instead visit Claire’s online store instead.

A nuisance, for sure.  But also an opportunity if you were a malicious hacker.

As security researcher Willem de Groot of Sansec reports, within 24 hours of Claire’s bricks-and-mortar stores closing for business, someone had registered the domain claires-assets.com.

This domain was then used, the following month, to exfiltrate information entered on the checkout pages of Claire’s online store and its sister brand Icing.

Hackers managed to gain write-access to Claire’s website, and inject an otherwise legitimate piece of JavaScript used by the site with additional code which skimmed customer and full payment details from online purchasers as soon as they tried to “checkout.”

Attacks like this are, unfortunately, not uncommon.  Most notoriously, malicious code known as Magecart has been used to steal sensitive information from unsuspecting internet users.

What’s so dangerous about a Magecart attack is that it doesn’t matter if a company does not store all of your credit card payment details (such as your CVV security code). Nor does a Magecart attack have to break into a company’s database or crack sophisticated encryption to extract sensitive information.

Instead, Magecart’s malicious script can lurk on a company’s website watching the information as it is entered by customers into a payment form, and send it to the waiting hackers.

Companies whose customers have been impacted by past Magecart attacks include Ticketmaster, British Airways, Feedify, Umbro, Vision Direct, Newegg, Sweaty Betty, SHEIN, Nutribullet, the American Cancer Society… and many many more.

Often these attacks are orchestrated through “supply-chain” attacks, where the hackers poison a third-party script used by a website and therefore don’t need to breach the website’s own defences to steal from customers as they shop.

However, in the case of Claire’s it appears that the hackers did actually gain access to the online store’s infrastructure.

This raises some interesting questions.

Firstly, how did the hackers gain access to the website in order to plant their malicious code?  Did they exploit a vulnerability on the website, was a member of staff phished, or was this part of a wider exploitation of Claire’s infrastructure?

The next obvious follow-up question is what has Claire’s done to ensure that a similar breach doesn’t happen again?

In a statement the firm says that upon being notified by Sansec of the security breach, it removed the offending code.

“On Friday, we identified an issue related to our e-commerce platform and took immediate action to investigate and address it. Our investigation identified the unauthorized insertion of code to our e-commerce platform designed to obtain payment card data entered by customers during the checkout process. We removed that code and have taken additional measures to reinforce the security of our platform. We are working diligently to determine the transactions that were involved so that we can notify those individuals.”

It’s good to see action has been taken, and that customers will be notified, but what should not be ignored is that some online stores have been haunted by repeat infections.  Research produced by Willem de Groot, for instance, has warned in the past that 20% of Magecart-compromised merchants find their internet stores reinfected within days.

And finally, what is to be made of the four weeks or so between the registration of the domain claires-assets.com and the launch of the hackers’ web-skimming attack against customers or Claire’s.

All the evidence points to a determined effort by the hackers to find a weakness at Claire’s that could be exploited to plant the code.  It seems to me that criminals knew that with the closure of its shopping mall stores, there would be an increase in online purchases… and were hellbent on taking advantage of the retail lockdown to fill their pockets.

Some retailers in some countries are beginning to take tentative steps out of lockdown, opening their doors again to shoppers.  They would be wise not to continue to watch their websites carefully for web-skimming attacks like the one which hit Claire’s.

Follow me for more information.

Product categories


July 2020