MageCart Attack on OXO International

Delaware, USA – January 10, 2019 – OXO International reported a data breach that affected the personal information of their customers. Presumably, the adversaries got access to the data entered on the site from June to November 2017 and from July to October 2018. A third-party security firm is conducting an investigation, and OXO International has so far reported only that an unauthorized code was detected on the site which stole credit card information, names, billing and shipping addresses. Researchers from BleepingComputer conducted their own investigation and found malicious JavaScript on the archived versions of the site (https://www.oxo.com) indicating that at least one of the attacks was carried out by one of the MageCart groups. The site version for June 2017 contained a script that stole the entered data and sent to attackers’ server.

MageCart operations attracted attention in the second half of 2018 when it became known about several high-profile website compromises and hundreds of thousands of payment cards were leaked. Analysis of the attacks showed that seven competing groups attack e-commerce websites and compromise popular plugins and extensions. Further investigations have revealed that every fifth attacked website is reinfected within 24 hours after the removal of malicious code. To detect compromise attempts, you can use Web Application Security Framework rule pack, which helps to minimize risks related to the usage of publicly accessible Web applications: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight