Multiple Hacking Groups Attempt to Skim Credit Cards from Perricone MD
During research into Magecart attacks, we recently uncovered malicious code from two hacking groups attempting to steal credit card information on the European e-commerce websites for the science-backed skincare brand Perricone MD (affecting perriconemd.co.uk, perriconemd.it and perriconemd.de). Founded by U.S. celebrity dermatologist Nicholas Perricone, the company generated sales of $86 million in 2014 and are looking to fetch more than $200 million in a rumoured upcoming sale.
Multiple Hacking Groups
Two hacking groups were able to insert malicious code directly into the websites, most likely due to a vulnerability in the Magento platform running the websites:
We traced the first hack back to November 2018, meaning it has been present on the websites for over a year. But unfortunately for the hacker, there is a small mistake in the code which causes an error, stopping the skimmer from successfully loading:
Uncaught TypeError: String.charCodeAt is not a function
After debugging the code, we could see it was attempting to load a skimmer from a malicious domain used in other Magecart attacks: js-react.com
The second hacking group gained access to the websites in November 2019, likely through the same vulnerability. They registered the domain perriconemd.me.uk to help avoid detection and only load the skimmer on the checkout page, another common tactic to help avoid detection:
The server hosting perriconemd.me.uk (126.96.36.199) is located in Japan and hosts several other domains linked to a wide range of data breaches and credit card theft, including:
Hacker vs Hacker?
However, just a couple of the digits were at some point modified to make sure the skimmer wasn’t loaded:
The hard-to-spot modification means the code is now attempting to load the URL https:5/js-reac,.com/js/static.js.
The team at RapidSpike reached out to several people at Perricone MD about the malicious code present on their websites and we have made ourselves available to help in anyway we can. We currently have no evidence that any credit card or personal information has been breached so hopefully the skimmers will soon be removed and any vulnerabilities will be closed.
Are you at risk?
For anyone looking for more information about these kind of attacks or how RapidSpike detects these attacks, talk to us about Magecart.