Cyber Incident Victim: Shopper Approved

On September 15, 2018, cybersecurity firm RiskIQ detected a Magecart malware breach targeting Shopper Approved, a US-based provider of customer review widgets embedded on third-party e-commerce sites. Attackers compromised Shopper Approved's server infrastructure and inserted malicious code into the legitimate certificate.js file hosted at shopperapproved.com/seals/certificate.js. This file formed part of the company's rating widget distributed to client websites. The injected skimmer code collected payment card details and personal information entered into checkout forms, exfiltrating data to the attacker-controlled domain info-stat.ws. RiskIQ noted this infrastructure had previously been used in the mid-September Feedify compromise involving similar Magecart tactics. Unlike the prolonged Feedify infection, the Shopper Approved breach lasted only two days. The company removed the malicious code on September 17 after being alerted by RiskIQ.

The incident impacted a limited number of checkout pages despite Shopper Approved's widget being deployed across thousands of sites. RiskIQ attributed the constrained scope to two factors: most clients didn't load the widget on checkout pages, and the skimmer activated only when checkout URLs contained specific keywords. Shopper Approved notified affected e-commerce sites where the compromised code executed. Forensic analysis revealed attackers initially uploaded a clean, unobfuscated version of their skimmer code to the certificate.js file before replacing it with an obfuscated variant 15 minutes later. This oversight provided researchers with unmodified code samples to analyze the group's techniques. The breach exemplified Magecart's operational pattern of compromising third-party service providers to harvest payment data across multiple downstream victims. RiskIQ confirmed the attackers leveraged identical infrastructure across multiple campaigns, including the Feedify intrusion occurring contemporaneously.