A popular precious-metals dealer, JM Bullion, has been the victim of a payment-skimmer attack. The company’s response was less than solid gold — it took months to notify its users of the breach.
The Dallas-based company sells gold, platinum, silver, copper and palladium bullion, in the form of bars, coins and pure metal coins called rounds. As part of its business model JM Bullion explains it “enables investors to purchase bullion they physically hold, as opposed to merely owning on paper.”
In a notice sent to its online customers, the company said that it became aware of suspicious activity on its website on July 6. An investigation uncovered third-party, malicious code present on the site, which “had the ability to capture customer information entered into the website in limited scenarios while making a purchase,” according to an email, shared on Reddit on Sunday.
The company claims on its website that it uses 256-bit SSL encryption, certified by DigiCert/Norton. Additionally, “We never have access to your credit/debit card information, as it is processed securely by CyberSource, the parent company of Authorize.net, following the most stringent PCI-compliant standards.”
However, payment-card skimmers, which are code-injections into vulnerable website components, simply record whatever customers enter into the fields on checkout pages, making the encryption and other protections a moot point.
Thus, the cyberattackers were able to capture name, address and payment-card details, JM Bullion confirmed.
It also said that the skimmer was active for five months, from February 18 until its forensics team was able to remove it on July 17. The Reddit member said that the notice went out on Halloween, meaning that the company waited three and a half months to alert users of the issue. The dates also show that there were 11 days that the skimmer was active after the company became aware of suspicious activity on the website.
Customers took to Reddit to complain. Click to enlarge.
It’s unclear how many customers are affected. The company said that the skimmer was in action in a “small portion” of transactions. According to its website, it ships more than 30,000 orders per month.
When reached by phone, a customer service person told Threatpost that only those affected received the email notices.
JM Bullion didn’t immediately respond to a request for more details on the breach.
There’s no word on who could be behind the attack, but payment skimmers are at the heart of ongoing Magecart attacks. Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, using exploits for unpatched vulnerabilities.
“Magecart attacks are notoriously difficult to detect because they target the client-side of websites,” Ameet Naik, security evangelist at PerimeterX, told Threatpost, noting that taking five months to notice the skimmer is not unusual. “Hackers inject malicious shadow code into the website scripts which runs on the users’ browsers. Traditional server-side monitoring and security solutions don’t have visibility into this client-side activity and are unable to stop such digital skimming attacks that lead to the theft of personal data from website users. This not only hurts the online business, but also exposes them to compliance penalties and liability.”
Taking advantage of unpatched and out-of-date websites, Magecart continues to be active. In October, a Magecart spinoff group called Fullz House compromised Boom! Mobile’s U.S. website and made off with a raft of personal identification.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.
