[BreachExchange] Credit card data of up to 15, 000 website shoppers stolen

Destry Winant destry at riskbasedsecurity.com
Thu May 9 22:55:24 EDT 2019


https://mainichi.jp/english/articles/20190509/p2g/00m/0na/058000c

TOKYO (Kyodo) -- At least seven online shopping sites have been hit by
a scam, resulting in the possible breach of some 15,000 customers'
credit card data between last October and April, according to
companies operating the websites.

In the scam, personal information is stolen after customers type in
data necessary to make payment on fake settlement screens that they
believe are genuine, and that resemble the real ones.

Among those compromised are an e-book site operated by Tokyo-based
DLmarket Inc., which said in December the credit card information of
up to 7,741 customers had been leaked. It later stopped selling items,
and in June the entire site will be closed.

"The system needs to be rebuilt thoroughly," the company said.

Iori Co., a towel store in Matsuyama, Ehime Prefecture, reported in
October a data breach affecting up to 2,145 customers.

Some of the stolen details, including credit card numbers, names of
card holders, expiration dates and security codes, were confirmed to
have been used for illegal purchases, the companies said.

Most of the compromised shopping sites were created using open-source
software called EC-Cube. An official of the software developer said
hackers who attacked the websites' servers "targeted the defects
caused by improper setting of the websites, not the software itself."

In the scam, a fake screen appears when a customer finishes choosing
goods, and displays an error message after credit card information is
entered.

If the customer returns to the previous screen, the genuine
transaction site completes the order, and goods are delivered to the
customer.

Even if customers notice something wrong at this stage, credit card
information has already been sent to hackers, IT security experts
said.

"There seems to be a computer program which automatically finds
defective websites. Online shopping operators need to strictly check
whether there are any problems in their sites," said Tsuyoshi
Tsurushima, an IT consultant well versed in online shopping security.

Credit card information is prone to cyberattacks intended to steal
money, with data obtained from one card available at several thousand
yen on the anonymous "dark web," which facilitates untraceable online
activities.

According to the Japan Consumer Credit Association, losses from stolen
credit card numbers in the country totaled 18.7 billion yen ($170
million) in 2018, the highest since the industry group started
compiling data in 2014.


More information about the BreachExchange mailing list