Web stores belonging to large retail chains Claire’s and Intersport have been found to contain payment card skimmers designed to steal information stored on customers’ payment cards.

According to a Sanguine Security's report, the compromise of Claire’s online store and the website of its sister brand Icing took place between April 25 and June 13. The card skimmer was delivered from a domain (claires-assets.com) designed to look like the legitimate Claire’s site. This domain has been registered at the end of March and has remained dormant for the next four weeks, till the last week of April, the researchers say.

“The injected code would intercept any customer information that was entered during checkout, and send it to the claires-assets.com server. The malware was present until June 13th. The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the report says.

“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”

A similar attack targeting the website of Intersport has been spotted by ESET researchers. The experts pointed out that the web skimming attack targeted only customers in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina.

According to Sanguine Security, who also analyzed the Intersport incident, the retailer’s stores were compromised on April 30th. After the researchers contacted the company about the hack the card skimmer has been removed from the site, but on May 14th the site has been compromised for the second time. ESET said the company removed the malicious code within hours after being notified of the latest hack.

In a press statement Intersport has confirmed the incident and said that “no payment card information were intercepted, as online card payments are processed through independent WSPay payment platform, which was not affected by the malicious code.”