UK hardware flinger Robert Dyas had credit card data and more skimmed from website • The Register – Digitalmunition

Featured shutterstock_fix_fall.jpg

Published on April 22nd, 2020 📆 | 7630 Views ⚑


UK hardware flinger Robert Dyas had credit card data and more skimmed from website • The Register

British hardware chain Robert Dyas’ website has been hit by credit-card stealing malware that siphoned off customers’ payment details and addresses.

Between 7 and 30 March a card skimmer was present on Robert Dyas’ payment processing page, the chain admitted in an email sent to affected customers that was seen by The Register.

“We became aware on 30 March 2020 that malicious software (malware) had been uploaded on to our ecommerce website by an external third party, which was immediately blocked by our IT Security team,” said the email.

Stolen data is said to include “personal and credit/debit card details, along with names and addresses of customers.” Nobody’s Robert Dyas password was stolen, though that will be the least of the affected people’s worries.

From the description it is plain that card-skimming malware was present. We have asked the Theo Paphitis-owned chain for further details and whether the infection was the infamous Magecart malware.

Jake Moore of infosec biz Eset dryly commented to The Register: “This is by no means the perfect timing to have a card skimmer to be hidden and operating on your site during a time when online sales are going through the roof in most industries.”

He added: “For those affected it may even be a double blow as to when they understand the full potential and impact it may have on their finances. Of course, these customers should contact their banks for further details and added support but this shouldn’t be taken lightly. Although no passwords seem to be taken I would suggest they change it as a matter of procedure in case it further comes out that more data was in fact compromised.”

A Robert Dyas PR spokeswoman did not immediately answer The Register‘s questions. We’ll update this article if we hear back from her.

A common attack vector for these types of compromises is targeting of the so-called “supply chain”: compromise of the third party website that serves up elements of the card payment page. One method is for a third party to be breached so malicious Javascript can be injected into the payment page, as Forbes magazine discovered last year.

Back in March – ironically – US box brand Tupperware was struck with a similar infection that used a malicious PNG image file along with steganographic techniques to hide the compromise.

Robert Dyas is owned by Dragon’s Den telly star Theo Paphitis. It has 94 shops across the south of the UK and in Christmas 2018 boasted that online sales grew by 45 per cent over the previous 12 months, having turned over £131.8m and made gross profits (EBITDA) of £1.6m. In the previous year it made a £780,000 loss. ®

Choosing A Low-Code Vendor

Source link

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *