After discovering a breach that exposed customers’ credit card data, US jam and jelly maker Smucker’s shuttered its online shop last week.
In an apologetic post to its customers, Smucker’s said that an unauthorized user slipped into its online checkout process and may have squeezed out an undisclosed number of customers’ personal data.
The data may include name, address, email address, phone, credit or debit card number, expiration date, and verification code.
According to security journalist Brian Krebs Smucker’s is just the latest fly to get stuck in the same web that ensnared dozens of companies last year, including some of the world’s largest data brokers and at least one credit card processor.
Sources familiar with the attackers and their infrastructure told Krebs that Smucker’s was exploited by the same gang.
The gang last year ransacked dozens of sites that ran outdated, vulnerable versions of Adobe’s ColdFusion Web application platform – in fact, code for ColdFusion was only one of the pearls the pirates stole away.
Given that Smucker’s said its customer data was intercepted during online checkout, it sounds like the malware is acting like a Trojan such as Zeus, Krebs suggests.
The difference here would be that the malware found in Smucker’s checkout process is designed to siphon data from web server applications. A Trojan such as Zeus, in contrast, goes after client-side data.
(SophosLabs’ James Wyke wrote a technical paper looking at how Zeus works – for a free, no-registration-required copy, click here.)
Some of the crooks’ most notable targets have included these big names:
- Adobe. The company in October 2013 revealed that some 38 million customer records were stolen, along with source code for most of the company’s biggest sellers. Beyond ColdFusion, that included code for Reader, Acrobat and Photoshop.
- Data brokers. It was discovered in September 2013 that the huge data brokers LexisNexis, Dun & Bradstreet, and Kroll were found to have been boobytrapped with small but very potent botnets run for the purposes of identity theft.
- NW3C, PR Newswire, Cupid Media. In November 2013, more than 42 million plaintext passwords were found on a server after having been hacked out of online dating site Cupid Media. On the same server were tens of millions of records from the Adobe theft, from PR Newswire, and from the National White Collar Crime Center.
Krebs notes that Smucker’s was on a list of compromised online stores that he was investigating toward the end of 2013.
Although Smucker’s didn’t give away much detail, Krebs found its online store referenced near the top of a cached web page showing the control panel for a ColdFusion botnet that the attackers were operating last year.
They were still operating it into 2014, Krebs suggests, given that Smucker’s said it wasn’t aware of the breach until mid-February.
Is Smucker’s the last of it? Has the law cleaned these guys up yet? Have we heard the last of this gang?
Far from it.
There are dozens of other online shops listed on the botnet control panel, Krebs says, the cached page for which dates to August 2013.
Though he’s notified the companies, some have yet to respond, Krebs writes.
Of course, the longer that publicly available backdoors to these sites stay wide open, as the cached logs show they were as of August, the more damage that will be done.
Stay tuned: the companies that didn’t respond to Krebs might be aware of the breaches, but then again, maybe not. We well might assume that there won’t be any shortage of breach news relating to this particular gang in the coming months.
In the meantime, Smucker’s said in a FAQ that it’s notifying affected customers via postal mail, advising them to review their transactions from December 2012 through January 2014.
If you’ve been shopping online for the sweet, sticky stuff, you might want to check your transactions to see whether you’ve gotten stuck along with Smucker’s.