Canada's largest alcohol retailer infected with card skimming malware twice since December
On January 12, Canadian alcohol retail giant LCBO announced that an "unauthorized party embedded malicious code" onto its website in order to steal information from customers in the process of checking out. Over five days in January, they wrote, customers "may have had their information compromised."
In fact, the infection was one of several to target LCBO customers in the last month, including an attack that lasted for more than a week that the company has not publicly acknowledged.
Recorded Future researchers said they found the first payment-skimming malware infection occurred on LCBO’s website on December 28, and that it lasted until January 4. The second infection, acknowledged by LCBO in statements released last week, began on January 5 and lasted until January 10. The Record is an editorially independent unit of Recorded Future.
LCBO – which stands for Liquor Control Board of Ontario – is a government enterprise and now one of the largest retailers and wholesalers of alcoholic beverages in the world. It said last week that it was shutting down its website and app to investigate a “cybersecurity incident.” Their 680 retail stores are still able to operate, according to a statement the following day. Third-party experts were hired to address the incident.
“At this time, we can confirm that an unauthorized party embedded malicious code into our website that was designed to obtain customer information during the checkout process,” LCBO said, adding that customer information provided on their checkout pages may have been "compromised."
The information stolen included names, email and mailing addresses, membership account details, account passwords and credit card information. They urged customers who made purchases in that time period to check their credit card payments and report suspicious transactions.
On Thursday, an LCBO spokesperson told The Record that they are continuing to investigate the situation and are identifying specific customers who were impacted so that they can communicate with them directly.
The website and app are back up and running but all account passwords have been reset.
The website has had an average of 3,058,000 monthly visits over the past three months, with 94% coming from within Canada and 3% coming from the U.S. LCBO's volume of visitors elevated the first breach into Recorded Future's top five monthly e-skimming infections for December, based on the potential number of impacted customers.
They have discovered five other e-commerce domains with infections that used the same malicious domain – lotilabs[.]org – for either e-skimmer hosting or exfiltration.
LCBO did not respond to requests for comment about whether their investigation included the first infection or whether customers from that first infection were also being notified alongside those from the second.
Tanium’s Tim Morris said e-skimmer attacks have been around for years, yet many retailers still haven’t learned lessons from high-profile incidents involving Target and Ticketmaster – namely by starting to patch frequently.
“Many business owners are simply using a service and do not have the technical expertise or resources to do that work,” he said.
“From the consumer side it is always prudent to use cards that have fraud protection, use virtual cards where possible for web e-commerce, monitor purchases regularly (most financial institutions allow account activity to be sent via text).”
Recorded Future’s Magecart Overwatch discovered 1,520 unique malicious domains involved in the infections of 9,290 unique e-commerce domains in 2022. Most involved campaigns that saw groups use fake payment card forms or taking over legitimate merchant web infrastructure to install e-skimmers.
The company reported breaches that exposed customer payment card data at over 1,000 unique merchants in 2022.
"For 77% of the merchants, we have identified compromised payment cards from the breaches on the dark web,” they said.
The e-skimmers led to 45.6 million compromised payment card records posted for sale on dark web platforms in 2022, according to the researchers.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.