by Source Defense

The Liquor Control Board of Ontario (LCBO), Canada’s largest alcoholic beverage retailer, revealed last week that hackers had injected malicious code into its website to steal customer and credit card data. This represents another in a growing line of disclosures related to Digital Skimming attacks

We can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” the company said in a statement. “Unfortunately, customers who provided personal information on our check-out pages and proceeded to our payment page on between January 5, 2023, and January 10, 2023, may have had their information compromised. This could include names, email and mailing addresses, Aeroplan numbers, account password, and credit card information.

According to a report by BleepingComputer, the web skimmer was injected into LCBO’s online store as an inline script camouflaged as a legitimate Google Analytics tag. 

Web skimmers, or Magecart attacks, are designed to skim information entered into payment forms on checkout pages before sending data back to a remote computer controlled by attackers.

Client-side attacks, like the one that targeted Canada’s LCBO, remain a blind spot for many organizations. Every client-side web attack is different, but they all rely on the fact that the attackers can access the browser of the customer visiting the website. From there, they can steal the customer’s real-time payment details, including credit card information. 

An online shopping cart is an extremely valuable target for a hacker. All payment details from customers’ cards have already been collected and are waiting in one place for a hacker to come along with their malware and take it right out of the cart. Virtually all eCommerce websites do not thoroughly vet the code used by these third parties, making the job of a hacker quite simple.

Stop Magecart Attacks

Source Defense is the pioneer in preventing digital skimming, Magecart, formjacking, and other client-side security threats. We can help you get a handle on your risk and take the risk off the table with an easy, cost-effective, no-hassle solution. Schedule a meeting with one of our experts today for a free analysis of your eCommerce site.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.