Skimmer on Uniqlo’s website
We detected that Uniqlo’s Australian online shop was leaking customer’s credit card details on 18th May 2019. While the skimmer was active, a copy of any data that was entered during the checkout process on Uniqlo’s Australian site was silently sent to a dropsite operated by fraudsters. This includes customers’ full credit card details, billing address, email and phone number.
E-commerce is responsible for nearly 10% of Uniqlo Japan’s sales and Uniqlo’s parent company Fast Retailing Co is one of the world’s largest and most successful retailers, worth $62 billion. Uniqlo is the most-visited online shop on which have found a skimmer to date. This is the second attack to which Uniqlo has fallen victim in recent times; in May it was announced 460,000 users of the shopping site may have had their details stolen following a credential stuffing attack.
The code was designed to capture all of the data entered by customers into the checkout form. Customers who checked out using PayPal would not have had their credit card details stolen by the skimmer, though their billing address and password would still have been vulnerable.
textarea elements) whether or not they are part of a specific checkout form.
At the time we discovered the attack, the
Uniqlo Australia was Uniqlo’s only online shop that appeared to be affected by this attack. We alerted Uniqlo to the compromise and the malicious code was removed from the affected files on 21st May.
Unsecured S3 buckets
Amazon provides customers with the ability to configure the permissions on their S3 storage with Access Control Lists (ACLs). Using ACLs, users can specify who may view, edit, delete and upload files. In Uniqlo’s case, the ACL was misconfigured, allowing any user to modify any of the files within the bucket:
"Grantee": "Type": "Group", "URI": "http://acs.amazonaws.com/groups/global/AllUsers" , "Permission": "FULL_CONTROL" ,
Misconfigured permissions on S3 buckets have been the centre of a number of data leaks in the past few years with the NSA and GoDaddy among those affected.
A not-so-unique attack
The Guardian and HuffPost have also loaded compromised resources on their websites, though no customers were affected as the malicious code was loaded in an iframe. The malicious code is intended to work in resources loaded in
<script> tags — when the fraudsters compromise other file types, the malicious code often does not work as intended. If the fraudsters had been targeting The Guardian, they could have inserted a very convincing phishing site into the article.
Software vendors Picreel and Translation Exchange, both of whom provide resources that are loaded on their customers’ sites were also compromised. By adding malicious code to just these two buckets, the fraudsters infected over a thousand sites.
In all of these cases, the fraudsters have used the same attack vector and malicious skimming code. We have so far seen a total of six different dropsites that receive credentials from sites compromised in this way:
|Domain||Registered||Registrar||IP Address||Country||Hosting Company|
||2019-01-30||WebNIC||220.127.116.11||Hong Kong||Cloudie Limited|
||2019-05-16||Shinjiru||18.104.22.168||Hong Kong||Cloudie Limited|
||2019-05-17||Ilovewww||22.214.171.124||Hong Kong||Cloudie Limited|
This suggests that these attacks are carried out by a single criminal group as part of the same campaign. It is common for criminals to carry out campaigns with more than one dropsite as it makes it harder for their operation to be detected and stopped.
Companies with customers within the EU that fail to adequately protect personal information can face severe penalties; since GDPR was implemented in 2018, fines of €20 million or up to 4% of annual global turnover can be issued to non-compliant companies. British Airways currently faces a £183m fine from the ICO following a similar attack against its customers. A number of other high-profile shopping sites have recently fallen victim, including Misfit Wearables and ARCTIC.