The web site for UK activewear retailer Sweaty Betty has been hacked to insert malicious code that attempts to steal a customer's payment information when making purchases.

This type of attack is called Magecart and involves a hacker compromising an online site in order to inject malicious code in checkout or other pages that ask for payment information. When a customer enters payment information on one of these hacked pages, the malicious script will send it to a remote server operated by the attacker.

In emails being sent to Sweaty Betty customers, the retailer states that customers shopping online between November 19th, 2019, at 6:24 PM (GMT) and November 27th, 2019, at 2:52 PM (GMT) may have had their credit card or debit card details stolen.

"These investigations confirmed that a third party gained unauthorised access to part of our website and inserted malicious code designed to capture information entered during the checkout process. This affected customers attempting to place orders online or over the phone for limited intermitten periods of time from Tuesday 19 November at 6.24pm (GMT to Wednesday 27 November 2019 at 2.52.pm (GMT)."

The notification goes on to say that those customer's who paid with a credit or debit card during the time of the hack would have had their name, Sweaty Betty password, billing address, delivery address, email address, telephone number, payment card number, CVV number, and expiry date stolen.

Sweaty Betty Email (Source: Twitter)

Click to see full size

As Magecart scripts rely on users entering new credit card details into the site, those who had saved payment information were not affected by this compromise. Furthermore, Sweaty Betty states that customers making purchases using PayPal or Apple Pay were not affected.

At the present time there is no notification on their web site and user's who are looking for more information regarding the emails are asked to contact their customer care email.

BleepingComputer has contacted Sweaty Betty with questions about the attack, but had not heard back at this time.

Custom.js script modified

Magecart security expert Willem de Groot of Sanguine Security Labs told BleepingComputer that the hackers modified the https://www.sweatybetty.com/on/demandware.static/-/Library-Sites-sweatybettylibrary/en_US/v1574703272172/js/custom.js script to add malicious code to the bottom.

This can be seen in the archived version where you can see obfuscated JavaScript added to the bottom of a legitimate script used by the site.

Sweaty Betty Magecart Script

When users enter payment information, the script will steal the payment info by sending it to the URL https://www.cdcc02[.]com/widgets/main.js.

Script portion showing exfiltration server

de Groot also notes that unlike most Magecart attacks that target Magento, sweatybetty.com runs Demandware.

"Contrary to most Magecart hacks that happen on Magento, Sweaty Betty runs Demandware, which is popular among the biggest stores"

What should Sweaty Betty customers do?

If you had recently shopped at the sweatybetty.com site, the first thing customers should do is contact their credit card company or bank and explain what happened.

They should also monitor their credit card or debit card statement for suspicious or fraudulent charges, and if any are found, report them immediately. These charges can appear many months later, so customers should check their statements every month for at least 6 months, if not longer.

Finally, all recent Sweaty Betty customers should change their password on the site as they would have been stolen as part of this attack as well.