Smucker's online store gets stuck in thieves' web

Filed Under: Adobe, Botnet, Data loss, Featured, Malware, Security threats

Jam. Image courtesy of ShutterstockAfter discovering a breach that exposed customers' credit card data, US jam and jelly maker Smucker's shuttered its online shop last week.

In an apologetic post to its customers, Smucker's said that an unauthorized user slipped into its online checkout process and may have squeezed out an undisclosed number of customers' personal data.

The data may include name, address, email address, phone, credit or debit card number, expiration date, and verification code.

According to security journalist Brian Krebs Smucker's is just the latest fly to get stuck in the same web that ensnared dozens of companies last year, including some of the world's largest data brokers and at least one credit card processor.

Sources familiar with the attackers and their infrastructure told Krebs that Smucker's was exploited by the same gang.

The gang last year ransacked dozens of sites that ran outdated, vulnerable versions of Adobe's ColdFusion Web application platform - in fact, code for ColdFusion was only one of the pearls the pirates stole away.

Given that Smucker's said its customer data was intercepted during online checkout, it sounds like the malware is acting like a Trojan such as Zeus, Krebs suggests.

The difference here would be that the malware found in Smucker's checkout process is designed to siphon data from web server applications. A Trojan such as Zeus, in contrast, goes after client-side data.

(SophosLabs' James Wyke wrote a technical paper looking at how Zeus works - for a free, no-registration-required copy, click here.)

Some of the crooks' most notable targets have included these big names:

  • Adobe. The company in October 2013 revealed that some 38 million customer records were stolen, along with source code for most of the company's biggest sellers. Beyond ColdFusion, that included code for Reader, Acrobat and Photoshop.
  • Data brokers. It was discovered in September 2013 that the huge data brokers LexisNexis, Dun & Bradstreet, and Kroll were found to have been boobytrapped with small but very potent botnets run for the purposes of identity theft.
  • NW3C, PR Newswire, Cupid Media. In November 2013, more than 42 million plaintext passwords were found on a server after having been hacked out of online dating site Cupid Media. On the same server were tens of millions of records from the Adobe theft, from PR Newswire, and from the National White Collar Crime Center.

Krebs notes that Smucker's was on a list of compromised online stores that he was investigating toward the end of 2013.

Although Smucker's didn't give away much detail, Krebs found its online store referenced near the top of a cached web page showing the control panel for a ColdFusion botnet that the attackers were operating last year.

They were still operating it into 2014, Krebs suggests, given that Smucker's said it wasn't aware of the breach until mid-February.

Is Smucker's the last of it? Has the law cleaned these guys up yet? Have we heard the last of this gang?

Far from it.

There are dozens of other online shops listed on the botnet control panel, Krebs says, the cached page for which dates to August 2013.

Though he's notified the companies, some have yet to respond, Krebs writes.

Unlocked. Image courtesy of ShutterstockOf course, the longer that publicly available backdoors to these sites stay wide open, as the cached logs show they were as of August, the more damage that will be done.

Stay tuned: the companies that didn't respond to Krebs might be aware of the breaches, but then again, maybe not. We well might assume that there won't be any shortage of breach news relating to this particular gang in the coming months.

In the meantime, Smucker's said in a FAQ that it's notifying affected customers via postal mail, advising them to review their transactions from December 2012 through January 2014.

If you've been shopping online for the sweet, sticky stuff, you might want to check your transactions to see whether you've gotten stuck along with Smucker's.

Image of jam and unlocked courtesy of Shutterstock.

, , , , , , ,

You might like

3 Responses to Smucker's online store gets stuck in thieves' web

  1. Chris Nielsen · 578 days ago

    Another speck on the tip of the iceberg. As a lowly webmaster who watches over a few servers, I see a constant flood of attacks on them. We now block most of the non-English speaking world, but the attacks are about the same.

    When you look at all the servers and systems out there and realize that most are being attacked like ours are, it's only a matter of time before there is a breech.

    We have no ecommerce data and only small amounts of user data, so we don't offer much for anyone that breaks in, but I can only imagine what the larger sites are going through.

    Hearing about the sites like Target that get hacked doesn't really bother me much, even though I shop there. What scares me is all of the stuff that's not reported, or worse, not even detected yet.

  2. rakso75 · 578 days ago

    In My (Humble) Opinion those list with possible sites affected must be made public (ok, maybe first inform the sites, then the police or other relevant security forces and only then the public).

    People have the right to know which sites are likely compromised.

    For those that will complain that that might affect badly those sites, so what? If I am going to buy something online I want to know that I am safe, and I expect the pertinent authorities to do all what be needed. It is like when there is a public poisoning and sometimes they have blamed the wrong culprit (remember cucumbers?) what can affect (temporarily) some innocent companies. The public health, safety and security are more important (yes, an adequate procedure or framework should be in place to prevent abuse and dissemination of false information, as I said, maybe the police or other forces should give out the news, not a security researcher)

    And furthermore, if people know that some companies were likely affected by malware, informed of this fact, and didn't bother to tell their customers and the public in general, feeding more victims to the bad guys, what are those people going to do? Probably sue those irresponsible companies and rightly so.

    • LonerVamp · 578 days ago

      I somewhat agree. But what if Krebs releases that list and one or more entries on there are actually wrong? Is it worth defamation?

      As a security/IT guy, if my company appears on some list, I definitely want to know, whether it's true or ends up being completely unfounded.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.