British hardware chain Robert Dyas' website has been hit by credit-card stealing malware that siphoned off customers' payment details including the long card number, expiry date and security (CVV) code.

Between 7 and 30 March a card skimmer was present on Robert Dyas' payment processing page, the chain admitted in an email sent to affected customers that was seen by The Register.

"We became aware on 30 March 2020 that malicious software (malware) had been uploaded on to our ecommerce website by an external third party, which was immediately blocked by our IT Security team," said the email.

Stolen data is said to include "personal and credit/debit card details, along with names and addresses of customers." Nobody's Robert Dyas password was stolen, though that will be the least of the affected people's worries.

From the description it is plain that card-skimming malware was present. We have asked the Theo Paphitis-owned chain for further details and whether the infection was the infamous Magecart malware.

Jake Moore of infosec biz Eset dryly commented to The Register: "This is by no means the perfect timing to have a card skimmer to be hidden and operating on your site during a time when online sales are going through the roof in most industries."

He added: "For those affected it may even be a double blow as to when they understand the full potential and impact it may have on their finances. Of course, these customers should contact their banks for further details and added support but this shouldn't be taken lightly. Although no passwords seem to be taken I would suggest they change it as a matter of procedure in case it further comes out that more data was in fact compromised."

A common attack vector for these types of compromises is targeting of the so-called "supply chain": compromise of the third party website that serves up elements of the card payment page. One method is for a third party to be breached so malicious Javascript can be injected into the payment page, as Forbes magazine discovered last year.

Back in March – ironically – US box brand Tupperware was struck with a similar infection that used a malicious PNG image file along with steganographic techniques to hide the compromise.

Robert Dyas is owned by Dragon's Den telly star Theo Paphitis. It has 94 shops across the south of the UK and in Christmas 2018 boasted that online sales grew by 45 per cent over the previous 12 months, having turned over £131.8m and made gross profits (EBITDA) of £1.6m. In the previous year it made a £780,000 loss.

A spokesperson for Robert Dyas said: “As soon as we became aware of the presence of malicious software deployed by an external third party on our ecommerce site, we took immediate action to remove it. We are confident this issue has been fully resolved and the website has been safe for use since 31st March.

“We informed our Merchant Service Provider - who manages all our credit or debit card payments online on our behalf – and the relevant card schemes, who inform the payment card providers, which include banks. We are in touch with approximately 20,000 affected customers and are recommending they also contact their bank or card provider and follow their recommendations as a precaution.

“We are working with the relevant authorities in response to the incident and have appointed a Payment Card Industry Forensic Investigator to carry out an independent investigation. We are deeply sorry for the concern and inconvenience this illegal activity has caused some of our customers.”

The spokesperson added that "unfortunately, the perpetrators did gain access to the long card number, expiry date and security (CVV) code."

Ouch. ®