Procter & Gamble’s “First Aid Beauty” Online Store Compromised by Credit Card Skimmer

• A MageCart skimming script was hiding on the "First Aid Beauty" e-commerce store for months.
• The script was obfuscated, encrypted, featured targeting geo-filtering, and didn’t run on Linux.
• An unknown number of customers have had their full credit card details stolen.

If you have bought anything from Procter & Gamble’s "First Aid Beauty" online store lately, chances are that your credit card details were stolen. According to the details that have surfaced after the Sanguine Security researcher, Willem de Groot made the relevant publication, the MageCart script that was planted on the online store's website was targeting U.S. citizens, and only Windows and macOS users. This means that if you’re located elsewhere in the world, or if you’re using Linux, the skimming script isn’t activated. Willem de Groot believes that the reason for this is because most researchers use Linux, so it’s a method to avoid detection.

Hacked: @ProcterGamble's https://t.co/qz62iHDazn has had a payment skimmer since May 5th. Fairly advanced: malware does not activate for non-US visitors, or if you run Linux (ie security researchers). pic.twitter.com/HAc7UunK5n

— gwillem (@gwillem) October 25, 2019

P&G bought First Aid Beauty in July this year for a reported $250 million, but the researcher found that the script was hiding in the website’s code since May 5th. The first contact to alert the website owner of the problem was made last week, and after receiving no response, the researcher tried multiple times to no avail. This led him to contact Bleeping Computer and spread the word about the incident as this was a critical security matter for many thousands of potential customers. The website is very popular, holding an Alexa traffic rank position of 140k.

The script itself was heavily obfuscated and featured encryption. This, in combination with its victim filtering, indicates that it is the work of experienced actors. All that definitely played a crucial role in how the skimming script managed to fly under the website’s admins radars for so long. As for what info it can steal, this includes the full credit card number, the expiration date, the name of the card owner, and the CVV code. That is all that a malicious actor would need in order to make purchases and carry out payments using the stolen data.

Source: Bleeping Computer

Right now, the First Aid Beauty website is offline (error 503), probably due to an in-depth review that is going on by P&G’s IT teams. Moreover, they have provided the following comment to BC: “Consumer trust is fundamental to us, and we take data privacy very seriously. As soon as we learned about the compromise of the First Aid Beauty site, we moved quickly to take the site down and minimize the impact on our consumers. We are currently investigating the source of the malware and working to identify and notify those consumers who might have been impacted to ensure we provide them the necessary support.”

Are you buying stuff on the internet using your payment card, or do you prefer alternative payment methods? Let us know in the comments down below, or on our socials, on Facebook and Twitter.