US based jewelry and accessory giant Claire’s, and its subsidiary Icing, were compromised in April and have allowed hackers to gain access to customer’s credit cards, Sansec reports.

In a new report by cybersecurity firm Sansec, Claire’s website was compromised by attackers who attempted to steal customer’s payment information when purchasing from the site.

The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code. Here is the heavily obfuscated copy:

Decoding this reveals the following malware:

The skimmer attaches to the submit button of the checkout form. Upon clicking, the full “Demandware Checkout Form” is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier.

The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.

This type of compromise is called a MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.