At least seven online retailers have been hit by a scam resulting in the possible breach of some 15,000 customers’ credit card data between October last year and April, according to companies operating the websites.
In the scam, personal information was stolen after customers typed in data necessary to make payments on fake settlement screens that they believed were genuine.
Among the sellers compromised was an e-book site operated by Tokyo-based DLmarket Inc., which said in December the credit card information of up to 7,741 customers had been leaked. It later stopped selling items, and in June the entire site will be temporarily closed.
“The system needs to be rebuilt thoroughly,” the company said.
Iori Co., a towel store in Matsuyama, Ehime Prefecture, reported in October a data breach that affected up to 2,145 customers.
Some of the stolen details, including credit card numbers, names of card holders, expiration dates and security codes, were confirmed to have been used for illegal purchases, the companies said.
Most of the compromised shopping sites were created using open-source software called EC-Cube. An official of the software developer said hackers who attacked the websites’ servers targeted weaknesses caused by improper settings on the websites, not the software itself.
In the scam, a fake screen appears when a customer finishes choosing goods, and displays an error message after credit card information is entered.
If the customer returns to the previous screen, the legitimate transaction site completes the order, and goods are delivered to the customer.
Even if customers notice something wrong at this stage, credit card information has already been sent to hackers, information technology security experts said.
“There seems to be a computer program which automatically finds defective websites. Online shopping operators need to strictly check whether there are any problems in their sites,” said Tsuyoshi Tsurushima, an IT consultant well-versed in online shopping security.
Credit card information is prone to cyberattacks, with data obtained from one card available at several thousand yen on the anonymous darknet, which facilitates untraceable online activities.
According to the Japan Consumer Credit Association, losses from stolen credit card numbers in the country totaled ¥18.7 billion ($170 million) in 2018, the highest since the industry group started compiling data in 2014.