UK sportswear retailer Sweaty Betty’s website has been hacked to insert malicious code that attempts to steal a customer’s payment information while shopping.

This type of attack is called Magecart and involves a hacker who compromises an online site in order to inject malicious code into the checkout or other pages that ask for payment information. When a customer enters payment information on one of these hacked pages, the malicious script will send it to a remote server exploited by the attacker.

In emails sent to Sweaty Betty customers, the retailer states that customers shopping online between November 19, 2019 at 6:24 p.m. (GMT) and November 27, 2019 at 2:52 p.m. (GMT) may have had their credit card. or stolen debit card details.

“These investigations confirmed that a third party gained unauthorized access to part of our website and inserted malicious code designed to capture information entered during the checkout process. This affected customers attempting to place orders. online or by phone for limited intermittent periods from Tuesday, November 19 at 6:24 p.m. (GMT to Wednesday, November 27, 2019 at 2:22 p.m. (GMT). “

The notification goes on to say that customers who paid with a credit or debit card during the time of the hack would have had their name, Sweaty Betty password, billing address, shipping address, email address, phone number. stolen phone, payment card number, CVV number and expiration date.

As Magecart scripts rely on users entering new credit card information on the site, those who had recorded payment information were not affected by this compromise. Additionally, Sweaty Betty states that customers making purchases with PayPal or Apple Pay have not been affected.

At the moment, there is no notification on their website and users looking for more information regarding emails are asked to contact their customer service email.

BleepingComputer has contacted Sweaty Betty to ask about the attack, but has not had a response yet.

Custom.js script modified

Magecart security expert Willem de Groot from Sanguine Security Labs told BleepingComputer that the hackers modified the script https://www.sweatybetty.com/on/demandware.static/-/Library-Sites-sweatybettylibrary/en_US/v1574703272172/js/custom.js to add malicious code at the bottom.

This can be seen in the archived version where you can see obfuscated JavaScript added to the bottom of a legitimate script used by the site.

When users enter the payment information, the script steals the payment information by sending it to the URL https: //www.cdcc02[.]com / widgets / main.js.

de Groot also notes that unlike most Magecart attacks that target Magento, sweatybetty.com runs Demandware.

“Unlike most of the Magecart hacks that happen on Magento, Sweaty Betty runs Demandware, which is popular among larger stores.”

What should Sweaty Betty customers do?

If you’ve recently made purchases from sweatybetty.com, the first thing customers should do is contact their credit card company or bank and explain what happened.

They should also monitor their credit or debit card statement for suspicious or fraudulent charges and, if so, report them immediately. These charges can appear several months later, so customers should check their statements every month for at least 6 months, or even longer.

Finally, all recent Sweaty Betty customers should change their password on the site as they were also allegedly stolen as part of this attack.