Thieves make off with shoppers’ credit card numbers after hacking apparel site for four months

Shoppers who placed an order with discountmugs.com during a four-month period last year are receiving a worrying notification from the online apparel store. Apparently, hackers injected card skimming code into the company’s website, then stole enough customer data to conduct fraud.

In a letter to the state attorney general, the company explains what happened, what information the hackers took, and what the company is doing to remedy this embarrassing situation. From the letter:

“On November 16, 2018, we discovered that an unauthorized change had been made to our DiscountMugs.com website. We immediately initiated an investigation and learned that unauthorized code was inserted into our shopping cart page designed to collect information customers entered on that page. We immediately removed the unauthorized code and reported the matter to law enforcement and to the payment card companies.

By Dec. 20, the company said, its investigation found that “orders placed by credit or debit cards between August 5, 2018 and November 16, 2018, may have been impacted by the unauthorized code. We are providing you with this notice because our records indicate that you placed an order between August 5, 2018 and November 16, 2018.”

This email would undoubtedly alarm any recipient, but the paragraph that follows is even more chilling. It shows the malware siphoned off exactly the data hackers needed to conduct fraud:

“… name, address, phone number, email address, the credit card or debit card number used to place the order, the expiration date, and card security code (CVV2) for that card.”

The paragraph ends by offering some comfort to victims: “Since we do not request PINs when debit cards are used, PINs were not subject to collection.”

But not every card emitter offers the 3D Secure mechanism, and not every e-commerce website uses two-factor-authentication for transactions. Moreover, verifiability of site identity is not 100% bulletproof, because the system involves a pop-up window or inline frame requiring cardholders to enter the one-time password to verify their legitimacy. However, a hacked website might display a fraudulent pop-up designed to harvest passwords.

After learning of the breach, DiscountMugs launched an investigation and, with the help of an unnamed cybersecurity firm, removed the malicious code. It is now helping police and card issuers with their investigations into the breach. Affected customers are offered a reassuring “we do not have any evidence that your information has been misused,” but the company still advises them to review an enclosed document with further information and steps they can take to prevent any harm done. The shop is also offering a complementary year of identity monitoring through AllClear ID.

DiscountMugs fails to mention how many customers were impacted. According to TechCrunch, the shop ranks in the top 10,000 sites in the U.S., with a daily customer count in the thousands.

Leave a Reply