5.4 Million Customers Risk Credit Card Theft with Khaadi
During research into client side attacks, we recently observed a skimmer loading on the popular Pakistani fashion website, Khaadi.
Khaadi is a global brand including seven stores in the UK and the company boasts over 5.4 million followers on social media. Khaadi have faced negative press recently, after an uproar about inhuman workplace conditions in 2017, and narrowingly avoiding going into administration in 2019. Unfortunately, the bad news doesn’t stop there as on January 23rd, RapidSpike’s Security Team discovered a skimmer on uae.khaadi.com and uk.khaadi.com which has now been active for five weeks. The skimmer is designed to steal payment details from customers purchasing from the site.
The malicious code has been injected into the source of the website and only loads the skimmer on the /checkout/ page to help avoid detection. Although there looks to be code in place to stop the skimmer from loading if the browsers developer toolbar is open (a popular and effective way for hackers to further avoid detection), it doesn’t seem to be working.
Once a customer has entered their card details on the checkout page and they have hit the “Place Order” button, all card details – including the three digit CVC / CVV – are encoded and sent to the same malicious host.
According to Similar Web, Khaadi has had an average of nearly 1.5 million monthly visits in the last six months. Although this does not tell us the exact number of victims, the site is still infected five weeks later which implies this attack may have had affected a huge number of customers.
The team at RapidSpike reached out to Khaadi about the malicious code present on their website. However at the time of publication we have received no response – the skimmers are still active and are stealing payment details.
Our advice for Khaadi customers would be to avoid shopping on the website. Previous customers should monitor bank transactions carefully.
Are you at risk?
For anyone looking for more information about these kind of attacks or how RapidSpike detects these attacks, talk to us about Client-side attacks.