Hackers breach customer rating tool used on over 7,000 websites

Hackers infiltrated a customer ratings tool used on more than 7,000 online stores in a widespread attempt to steal credit card information.

Magecart -- the world's largest credit card skimming campaign -- in September targeted Shopper Approved, a widely used plugin for people to rate products and services, according to researchers from cybersecurity firm RiskIQ.

Magecart was behind similar hacks that stole financial information from Ticketmaster UK, British Airways and NewEgg customers. Skimming is a common tactic in which thieves intercept your credit card payments and steal the financial information, typically through a physical device.

Digital skimming presents a new risk because while you can check if there's a skimmer at an ATM, it's much harder to tell if the website you're on has been compromised. Magecart has lead a widespread campaign since 2015 targeting e-commerce websites. It's looking to steal your credit card information when you type it in as you shop online.

Magecart, an umbrella term for six different groups, will do this by quietly changing codes on websites to have sensitive data sent to its servers, siphoning as much information as it can gather before getting caught.

Shopper Approved is Magecart's latest victim, as hackers looked to use the third-party tool to steal data from thousands of websites at the same time.

It's similar to the strategy used in the breach on Ticketmaster UK. While the company itself was not hacked, Inbenta, a third-party customer service company on Ticketmaster's website, did suffer a cyberattack, RiskIQ said.

Magecart was looking to use Shopper Approved as that same sort of gateway to thousands of stores online. Shopper Approved boasts clients like Quicken Loans, Namecheap and 1-800 Flowers, though it's unclear if those retailers were affected by the cyberattack. In a statement posted on Shopper Approved's website on Monday, the company said that "only a very small percentage of our clients were involved."

The three companies did not respond to a request for comment.

RiskIQ first notified Shopper Approved on Sept. 17, Scott Brandley, the ratings tool company's CEO, said in the statement.

"Fortunately, we were able to quickly detect and secure the code related to the incident. We also put additional security measures in place to help ensure that this doesn't happen again," he said.

Security researchers first noticed the breach on Sept. 15, when RiskIQ's detection flagged Magecart's skimming code on Shopper Approved's certificate JavaScript. Shopper Approved removed the malicious code two days later.

While Shopper Approved is on thousands of websites, there are several reasons why it did not affect every single one, Yonathan Klijnsma, a head researcher at RiskIQ said.

The code had been looking for specific keywords on checkout pages, like "checkout" and "onestep." Any pages that didn't have those terms in the URL were not affected by Magecart's hacks, he said.

Vendors online have also become more careful, with prominent shopping carts blocking third-party scripts from activating on checkout pages. Many pages that used Shopper Approved also kept the tool separated from its checkout page, RiskIQ said.

"If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," Klijnsma said in a statement. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."

NASA turns 60: The space agency has taken humanity farther than anyone else, and it has plans to go further.

Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.