Chinese biz scrambles to tear down injected theft script
The Chinese phone company admitted after a week of probing that about 40,000 of its customers had their payment card details nicked while buying stuff from its web shop.
Crooks were quick to start plundering victims’ accounts using the swiped information, going on shopping sprees with the stolen card data.
Here’s how it went down: one of the store’s servers was hacked, and its code modified so that between mid-November, 2017, and January 11 this year, bank card details typed into oneplus.net by shoppers were copied and sent over to miscreants.
Specifically, the software was tampered with to harvest the numbers, names, and security codes on cards before they were encrypted and sent to OnePlus’s payment processor. The server has since been quarantined, and the malicious code removed.
OnePlus said people who opted to use PayPal were not affected, nor was anyone who had paid with a credit card they had “saved” to the site before November 11, because those cards had been encrypted by the payment provider and saved only as tokens by OnePlus.
OnePlus has sent out emails alerting punters whose information was handed over to hackers, and said it is “looking for a suitable way” to give the affected shoppers a free year of credit monitoring. Needless to say, anyone who gets one of these messages would be well advised to have their card cancelled and replaced.
Here’s what was mailed to customers earlier today:
The investigation began at the weekend after folks on the OnePlus forums complained about unauthorized charges on their cards occurring after they had made a purchase on OnePlus.net.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” OnePlus staff explained to customers on its forums.
“The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.
“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”
Critics may note that OnePlus has previously given indications of playing fast and loose with computer security. The mobe maker was found last year to have shipped handsets with factory diagnostic backdoors left active and, just days before this investigation was kicked off, OnePlus admitted it had accidentally gave some international customers a China-exclusive app that relayed clipboard-related data back to Alibaba servers. ®