Cyber Incident Victim: VOXX International
Date:
Jun 2017
Location:
United States of America
Summary
OXO International experienced a multi-stage MageCart attack compromising customer payment and personal data entered during checkout on their e-commerce site. Attackers injected malicious scripts into the website to harvest credit card details, billing addresses, email addresses, and phone numbers, exfiltrating the data to a remote server. The breach prompted engagement of third-party forensic investigators to address vulnerabilities and implement security improvements. The company notified authorities and provided affected customers with complimentary credit monitoring services. Investigators also identified an anomalous Russian web analytics script on the compromised checkout page, raising additional concerns about visitor data collection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
OXO International experienced a multi-phase cybersecurity incident affecting customer data on its e-commerce platform (oxo.com) between June 9, 2017, and October 16, 2018. The breach occurred across three distinct periods: June 9–November 28, 2017; June 8–9, 2018; and July 20–October 16, 2018. Forensic analysis confirmed attackers compromised servers to target personal and payment information submitted through customer order forms. Evidence collected by BleepingComputer revealed at least one intrusion involved a MageCart attack, where malicious JavaScript (static.js) loaded from https://js-cloud.com was injected into the checkout page. This script harvested credit card details, billing addresses, email addresses, and telephone numbers before exfiltrating data to https://js-cloud.com/gate.php. The MageCart compromise was identified through Archive.org snapshots showing the malicious code active on June 9, 2017. OXO acknowledged the breach on December 17, 2018, stating payment data theft attempts might have been unsuccessful but advising caution.
OXO engaged third-party forensic investigators upon detecting the compromise, leading to vulnerability remediation and server security enhancements. The company notified relevant authorities and offered affected customers complimentary credit monitoring services through Kroll, with enrollment details distributed via notification emails. Additional investigation uncovered a separate suspicious script from the Russian web analytics service https://top.mail.ru on oxo.com's checkout page in a December 12, 2018, snapshot, though its purpose remained unconfirmed. The breach exposed customer transactional data during multiple high-risk intervals, with MageCart's infrastructure explicitly designed to capture payment card information. Attackers leveraged common e-commerce threat vectors, mirroring tactics used against British Airways, TicketMaster, and Newegg. OXO's public disclosure emphasized transparency regarding potential data exposure timelines while maintaining operational continuity for its online storefront.