Updated 05/09/2019: Fast Retailing Co has stated that the credit card fields were contained within an iframe, which meant they would not be collected by this generic skimmer. However, the remainder of the personal information provided by customers would have still been vulnerable if at least one non-credit card field happened to match a regular expression designed to find credit card numbers. Fast Retailing has stated it has “verified its order history database records for last several years and confirmed that there are no inputs in existing orders matching a regular expression designed to find credit card numbers in any non-credit card fields. While the malicious code would have been executed by visitors, based on the information available to Fast Retailing it is unlikely that customers who successfully placed an order would have had their personal data stolen”.
Skimmer on Uniqlo's website
Personal data entered into Uniqlo Australia's checkout page may have been stolen
E-commerce is responsible for nearly 10% of Uniqlo Japan's sales and Uniqlo's parent company Fast Retailing Co is one of the world's largest and most successful retailers, worth $62 billion. Uniqlo is the most-visited online shop on which we have found a skimmer to date. This is the second attack to which Uniqlo has fallen victim in recent times; in May it was announced 460,000 users of the shopping site may have had their details stolen following a credential stuffing attack.
The code captured every input on the page accessible to the script
The code was designed to capture all of the data entered by customers into the checkout form. However, customers would not have had their credit card details stolen by the skimmer, as this part of the checkout form is loaded in an isolated iframe or is processed externally via Paypal. If the injected code did not find any other customer details where at least one field matched a regular expression designed to find credit card numbers, none of the data would be stolen.
textarea elements) whether or not they are part of a specific checkout form.
The captured data is transmitted to cdn-c[.]com
At the time we discovered the attack, the
Uniqlo Australia was Uniqlo's only online shop that appeared to be affected by this attack. We alerted Uniqlo to the compromise and the malicious code was removed from the affected files on 21st May.
Unsecured S3 buckets
Amazon provides customers with the ability to configure the permissions on their S3 storage with Access Control Lists (ACLs). Using ACLs, users can specify who may view, edit, delete and upload files. In Uniqlo's case, the ACL was misconfigured, allowing any user to modify any of the files within the bucket:
Misconfigured permissions on S3 buckets have been the centre of a number of data leaks in the past few years with the NSA and GoDaddy among those affected.
A not-so-unique attack
The Guardian and HuffPost have also loaded compromised resources on their websites, though no customers were affected as the malicious code was loaded in an iframe. The malicious code is intended to work in resources loaded in
<script> tags — when the criminals compromise other file types, the malicious code often does not work as intended. If the criminals had been targeting The Guardian, they could have inserted a very convincing phishing site into the article.
The Guardian's website served card stealing code
Software vendors Picreel and Translation Exchange, both of whom provide resources that are loaded on their customers' sites were also compromised. By adding malicious code to just these two buckets, the criminals infected over a thousand sites.
In all of these cases, the criminals have used the same attack vector and malicious skimming code. We have so far seen a total of six different dropsites that receive credentials from sites compromised in this way:
This suggests that these attacks are carried out by a single criminal group as part of the same campaign. It is common for criminals to carry out campaigns with more than one dropsite as it makes it harder for their operation to be detected and stopped.
Companies with customers within the EU that fail to adequately protect personal information can face severe penalties; since GDPR was implemented in 2018, fines of €20 million or up to 4% of annual global turnover can be issued to non-compliant companies. British Airways currently faces a £183m fine from the ICO following a similar attack against its customers. A number of other high-profile shopping sites have recently fallen victim, including Misfit Wearables and ARCTIC.