Cyber Incident Victim: Sixth June
Date:
Oct 2019
Location:
France
Summary
A French fashion e-commerce site was compromised with malicious code designed to steal payment card information during checkout, attributed to a MageCart-style e-skimmer attack. The script, loaded from a domain impersonating Magento, harvested cardholder names, numbers, CVV codes, expiration dates, and additional personal data including addresses, emails, and passwords from input fields, enabling potential account takeovers and fraudulent transactions. Researchers identified the threat after nearly a week of unauthorized data collection, noting the attackers concealed the activity using counterfeit Google Tag Manager code. Despite multiple notifications to company leadership, the skimmer remained active for several days before eventual removal. This incident was part of a broader campaign compromising over 80 websites with similar skimming infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Sixth June incident involved a MageCart-style attack on the French fashion e-commerce site, which compromised customer payment card data during online transactions. Security researcher Jenkins identified malicious JavaScript ('apiV3.js') loading from the domain mogento[.]info on Sixth June's checkout pages (/onepage and /firecheckout) during a broader investigation into similar cybercriminal activities. The attackers had injected this skimming code prior to October 23, 2019, when Rapid Spike researchers first observed it active. The script collected encrypted payment details entered during checkout—including cardholder name, card number, expiration date, and CVV—and exfiltrated them via POST requests disguised as image files (visa-mastercard-amex_0.png) to the attacker-controlled domain. Beyond payment data, the malware harvested all form inputs on affected pages, capturing usernames, passwords, email addresses, physical addresses, and phone numbers, enabling potential account takeover and order manipulation.
Sixth June, operating on Magento with approximately 70,000 monthly visitors and significant social media followings, remained unresponsive to multiple researcher notifications. Jenkins alerted the CEO about the compromise on October 28 but received no reply, mirroring non-responses observed in contemporaneous MageCart incidents like the First Aid Beauty breach under Procter & Gamble. The attackers employed evasion tactics by mimicking legitimate Magento infrastructure through typosquatting (mogento[.]info) and embedding malicious code within a counterfeit Google Tag Manager snippet—a pattern consistent across 80 other compromised sites identified in the same investigation. The skimmer operated undetected for at least one week until its removal on October 30, 2019, exposing all customers who made purchases between October 23 and the remediation date. The incident reflected the broader global MageCart threat landscape, which had previously impacted major enterprises including British Airways and Ticketmaster since its emergence in 2010.