Skip to main content

Vision Direct reveals breach that skimmed customer credit cards

European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information. Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV. It’s not yet […]

European online contact lens supplier Vision Direct has revealed a data breach which compromised full credit card details for a number of its customers, as well as personal information.

Compromised data includes full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.

It’s not yet clear how many of Vision Direct’s customers are affected — we’ve reached out to the company with questions.

Detailing the data theft in a post on its website Vision Direct writes that customer data was compromised between 12.11am GMT November 3, 2018 and 12.52pm GMT November 8 — with any logged in users who were ordering or updating their information on visionDirect.co.uk in that time window potentially being affected.

It says it has emailed customers to notify them of the data theft.

“This data was compromised when entering data on the website and not from the Vision Direct database,” the company writes on its website. “The breach has been resolved and our website is working normally.”

“We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice,” it adds.

Affected payment methods include Visa, Mastercard and Maestro — but not PayPal (although Vision Direct says PayPal users’ personal data may still have been swiped).

It claims existing personal data previously stored in its database was not affected by the breach — writing that the theft “only impacted new information added or updated on the VisionDirect.co.uk website” (and only during the aforementioned time window).

“All payment card data is stored with our payment providers and so stored payment card information was not affected by the breach,” it adds.

Data appears to have been compromised via a Javascript keylogger running on the Vision Direct website, according to security researcher chatter on Twitter.

After the breach was made public, security researcher Troy Mursch quickly found a fake Google Analytics script had been running on Vision Direct’s UK website:

That's exactly what it was. The data was stolen via a fake Google Analytics script: https://g-analytics[.]com/libs/1.0.16/analytics.js – you can view a copy of the JS via the @urlscanio archive of https://t.co/TV22dxvCcK https://t.co/SFi5Wp4gm3 pic.twitter.com/rY13cMR2TL

— Bad Packets Report (@bad_packets) November 18, 2018

The malicious script also looks to have affected additional Vision Direct domains in Europe; and users of additional ecommerce sites (at least one of which they found still running the fake script)…

It wasn't just UK. Also infected between Nov 3rd and Nov8th:https://t.co/fQy7WsKmfqhttps://t.co/8JUn9frF9vhttps://t.co/WBCPQOIv46https://t.co/DCyaQzuTkMhttps://t.co/pwfBvDWZDzhttps://t.co/q9of3VMPZ5https://t.co/LclCV3VvHYhttps://t.co/Ouge4ebR7vhttps://t.co/85sRXtC50m

— Willem de Groot (@gwillem) November 18, 2018

Additional compromised websites containing the fake Google Analytics (credit card stealing) script can be found via https://t.co/3jKljjDieZ pic.twitter.com/nBdyT8LCWR

— Bad Packets Report (@bad_packets) November 18, 2018

Another security researcher, Willem de Groot, picked up on the scam in September, writing in a blog post then that: “The domain g-analytics.com is not owned by Google, as opposed to its legitimate google-analytics.com counterpart. The fraud is hosted on a dodgy Russian/Romanian/Dutch/Dubai network called HostSailor.”

He also found the malware had “spread to various websites”, saying its creator had crafted “14 different copies over the course of 3 weeks”, and tailored some versions to include a fake payment popup form “that was built for a specific website”.

“These instances are still harvesting passwords and identities as of today,” de Groot warned about two months before Vision Direct got breached.

https://t.co/b8e4pzzQZK

— Troy Hunt (@troyhunt) November 18, 2018

Data & News supplied by www.cloudquote.io
Stock quotes supplied by Barchart
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.