[UPDATE 8th July 13:41]

Hirsch’s Homestore has confirmed that it was indeed breached in 2018 but the breach was identified before the site was compromised.

“Yes we are aware of this incident in 2018. The breach was identified and contained by our specialist developers before the Hirsch’s site could be compromised. All payment information is held strictly with our payment partners and not with Hirsch’s ensuring customer safety,” the firm wrote in a statement posted to Twitter.

The original story below has been tweaked slightly to reflect this updated information.

Original story below.

Cyber intelligence firm, Gemini Advisory, has published an alarming report regarding a group which makes use of Magecart attacks to compromise ecommerce websites.

The group was dubbed Keeper following its repeated use of a single domain that was used to inject malicious code into websites.

Gemini Advisory says that it uncovered an unsecured access log on the Keeper control panel with 184 000 compromised cards.

The report alleges that using a network of 64 attacker domains, Keeper infected 570 ecommerce websites. From these websites, code siphoned off stolen payment card data and funneled it to 73 domains where the group could gather its ill-gotten gains.

According to Gemini Advisory the websites have been infected since as far back as 2017 and estimates suggest the group may have made upwards of $7 million from stealing and selling compromised payment cards.

Of concern is the fact that among the 570 websites, six have a .CO.ZA URL.

According to data from Gemini Advisory the following local websites were allegedly targeted by Keeper:

  • arb.co.za – Estimated infection date 2/12/2019
  • babycity.co.za – Estimated infection date 11/10/2017
  • gettingadeal.co.za – Estimated infection date 9/3/2018
  • hirschs.co.za – Estimated infection date 19/4/2018
  • pcexpress.co.za – Estimated infection date 26/2/2020
  • printulu.co.za – Estimated infection date 24/8/2019

This morning we have attempted to contact each and every one of those websites. In the case of arb.co.za and gettingadeal.co.za we were unable to reach anybody for comment with both contact numbers ringing endlessly.

As for babycity.co.za, hirschs.co.za, pcexpress.co.za and printulu.co.za, none can comment at this stage.

We have also contacted Gemini Advisory for additional comment regarding whether any of the 570 ecommerce websites were contacted regarding the alleged compromise of their systems. As of time of writing we have not heard back from the firm.

Something we do find curious is the fact that of the six sites above, one of them doesn’t even have ecommerce functionality.

That site is BabyCity which simply contains a catalogue. Using the Wayback Machine to head back to 13th October 2017, we note that BabyCity didn’t even offer online shopping when it was allegedly infected.

This could have been a simple mistake on Keeper group’s side, but it is an oddity worth noting.

UPDATE: We completely overlooked the fact that 85.2 percent of the attacks were on websites using Magento attacks while 5.5 percent were on WordPress which the BabyCity website uses. We apologise for the oversight.

Other websites which were identified as being allegedly breached include a clothing store in Pakistan, an Apple reseller in Indonesia and a custom promotional product store from the US.

We will continue to provide updates from the .CO.ZA websites which were allegedly infected when we receive comment from the respective website owners.

[Image – CC 0 Pixabay]