Cyber attackers compromised the website of Ontario’s Liquor Control Board and stole personal information of customers who bought products online, the retailer has acknowledged.
“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” the Crown corporation said in a news release Thursday.
“Unfortunately, customers who provided personal information on our check-out pages and proceeded to our payment page on LCBO.com between January 5, 2023, and January 10, 2023, may have had their information compromised. This could include names, email and mailing addresses, Aeroplan numbers, LCBO.com account password, and credit card information. This incident did not affect any orders placed through our mobile app or vintagesshoponline.com.”
The retailer is still investigating the hack to identify specific customers impacted so that it can communicate with them directly. Out of an abundance of caution, customers who initiated or completed payment for orders on LCBO.com during this window are advised to monitor their credit card statements and report any suspicious transactions to their credit card providers.
“With a thorough review and testing of the website complete, including enhanced security and monitoring measures in place, LCBO.com and our mobile app have been restored and are fully operational,” the board said. It has also forced those with LCBO.com accounts to reset their passwords.
There are many types of website compromise, but the addition of code — usually JavaScript — into a site to scrape customer information or to insert a fake checkout page is broadly known as a Magecart attack. According to Imperva, victims of Magecart attacks include sites that run Adobe’s open-source Magento e-commerce platform (hence the name Magecart). Victims of Magecart-style attacks include British Airways, children’s apparel maker Hanna Andersson and even Amazon S3 buckets.
IT World Canada has reported many others, including WooCommerce installations and restaurants using the MenuDrive, Harbortouch and InTouchPOS systems.
Researchers at Sansec believe that from 2010 to mid-2022, over 70,000 compromised online stores contained a digital skimmer at one point in time. More than 100,000 stores were affected if supply chain attack victims are included. Sansec says there are over 200 different Magecart malware families,
Common targets are e-commerce platforms like Magento, WooCommerce, Prestashop, Opencart and Bigcommerce, because they are used by so many online retailers.
Imperva says that to reduce the risk of Magecart and other types of client-side attacks, retailers should:
- identify third-party JavaScript – prepare an inventory of all third-party JavaScript code on their websites.
- ask third-party vendors to audit their code – to ensure it is their original code and does not contain any malicious instructions or malware.
- switch from third-party to first-party services – whenever possible, prefer to run software on their own servers and not use third-party services. This can prove to be a challenge, as most storefronts today are heavily reliant on third-party vendors.
- implement HTTP Content-Security-Policy headers – which provides an additional layer of protection from cross-site scripting (XSS), clickjacking, and other code injection attacks.