Element Vape, a popular online retailer selling e-cigarettes and accompanying accessories, has had its website compromised and loaded with the popular credit card skimmer, MageCart.
The news was revealed by BleepingComputer (opens in new tab), whose analysts investigated the website’s code, and found the skimmer on the checkout page. The skimmer was stealing information such as email addresses, credit card numbers and expiration dates, phone numbers, billing addresses, and street and ZIP codes.
As soon as the existence of the skimmer was confirmed, the publication notified Element Vape, which reacted promptly, eliminating the malicious code from its website on the same day.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
How the code ended up on the webpage in the first place remains a mystery, and it's hard to tell if any of the company's endpoints (opens in new tab) were infected with malware.
The name of the threat actor is also unknown. The publication says the data stolen gets exfiltrated to an obfuscated, hardcoded Telegram address.
What the investigation did discover is that the attack is most likely of a newer date, as the code wasn’t present on the site in early February this year.
> MageCart attacks return to target hundreds of outdated ecommerce sites (opens in new tab)
> Retailers using WooCommerce are the next target for Magecart card skimmer attacks (opens in new tab)
> Magecart attacks hit thousands of UK SMBs ahead of Black Friday (opens in new tab)
Element Vape has been attacked before, BleepingComputer says. Back in 2018, it notified its customers of potentially leaking personally identifiable information (opens in new tab) (PII) to unknown threat actors.
The consumers filed a lawsuit, claiming the company did not notify affected individuals on time, and did not do all it could to prevent the incident from happening in the first place. The lawsuit was followed by a class-action one in 2019, demanding a trial by jury.
While the community’s response to Element Vape seems to be mostly positive, across social media, there are a few potential red flags, BleepingComputer hints. For example, in some U.S. states, it’s known as TheSY LLC, and has a Twitter userbase of 13,000. However, its tweets are protected, which is not what you’re used to seeing from a company.
Element Vape is yet to comment on the findings. Customers interacting with the company are advised to keep both eyes on their credit cards, for suspicious transactions.
- You should also check out our list of the best firewalls (opens in new tab) right now