Vaporshark site had malware on it snagging credit card information

[Zamazam]

I got this email from Vaporshark a little while ago:

SECURITY UPDATE

At Vapor Shark, we understand that in today’s world your personal and private information is more important than ever. In late June of this year, we began receiving mixed data regarding a possible breach of security on our retail website. Despite us not immediately understanding the full scope, extent, or cause of what was happening, we immediately had our developers research the issue and ramp up security measures to ensure data safety and security during our investigation which has now been concluded.

Upon further examination, we discovered malicious code which appeared to have been siphoning credit card information from our retail, customer-facing website on or after June 23rd, 2015. Our wholesale website was not affected.

A Sucuri.net blog from the same date released a notice regarding a recently discovered Magento vulnerability which quietly attaches to your code and makes it virtually undetectable unless you actively seek it out, which we did.
See more info on that blog here.

The malicious code was immediately contained, isolated, and completely removed by July 14th, 2015. To supplement our internal security measures, we enrolled the services of Sucuri.net, a leader in internet commerce security. Our website, which is hosted by Amazon, is scanned by Sucuri.net on a daily basis for viruses, malware, and spyware. If any malicious content is found with Sucuri.net it is immediately flagged, isolated, and removed by the development team. Additionally, our site is also protected from intrusion by Incapsula, the same company and service that secures companies like eHarmony, WIX, Newsweek, SIEMENS and Motley Fool.

If you have reason to believe that you may have been affected, please contact your card issuing bank and inform them. We are working with VISA, MasterCard, and American Express regarding this issue and they will be able to address your concerns adequately.

We sincerely apologize for any inconvenience this may have caused. Vapor Shark takes the safety of your personal and private information very seriously. Our website has been free of malicious code since we discovered and corrected the issue; it is secure, it is safe and it is being monitored on a 24 hour schedule. You can check the status of our site at anytime going forward by clicking on the Sucuri banner at the top of our home page or by clicking this link.

Thank You,

Vapor Shark

 

[Zamazam]

Notice they won't pony up for the credit monitoring with a data breach.

 

[MrScaryZ]

I got this email from Vaporshark a little while ago:

SECURITY UPDATE

At Vapor Shark, we understand that in today’s world your personal and private information is more important than ever. In late June of this year, we began receiving mixed data regarding a possible breach of security on our retail website. Despite us not immediately understanding the full scope, extent, or cause of what was happening, we immediately had our developers research the issue and ramp up security measures to ensure data safety and security during our investigation which has now been concluded.

Upon further examination, we discovered malicious code which appeared to have been siphoning credit card information from our retail, customer-facing website on or after June 23rd, 2015. Our wholesale website was not affected.

A Sucuri.net blog from the same date released a notice regarding a recently discovered Magento vulnerability which quietly attaches to your code and makes it virtually undetectable unless you actively seek it out, which we did.
See more info on that blog here.

The malicious code was immediately contained, isolated, and completely removed by July 14th, 2015. To supplement our internal security measures, we enrolled the services of Sucuri.net, a leader in internet commerce security. Our website, which is hosted by Amazon, is scanned by Sucuri.net on a daily basis for viruses, malware, and spyware. If any malicious content is found with Sucuri.net it is immediately flagged, isolated, and removed by the development team. Additionally, our site is also protected from intrusion by Incapsula, the same company and service that secures companies like eHarmony, WIX, Newsweek, SIEMENS and Motley Fool.

If you have reason to believe that you may have been affected, please contact your card issuing bank and inform them. We are working with VISA, MasterCard, and American Express regarding this issue and they will be able to address your concerns adequately.

We sincerely apologize for any inconvenience this may have caused. Vapor Shark takes the safety of your personal and private information very seriously. Our website has been free of malicious code since we discovered and corrected the issue; it is secure, it is safe and it is being monitored on a 24 hour schedule. You can check the status of our site at anytime going forward by clicking on the Sucuri banner at the top of our home page or by clicking this link.

Thank You,

Vapor Shark

Freak that glad you said something I almost bought a VaporShark DNA200 wow! if they cannot remedy the situation for those that could be affected thats bad news to me..

 

[Zamazam]

I'm using a google wallet card (mastercard) and only put the amount I'm purchasing plus 1 dollar to the card.

 

[MrScaryZ]

Ahh good idea man

Sent from my C6740N using Tapatalk

 

[Teresa P]

I got the same email, glad I've never ordered from them, just went through this crap after a flavor order. But if it happened to them, how many others have been violated?

 

[Zamazam]

Anyone that uses Magento eCommerce software could be affected, that's a lot of sites.

 

[MrScaryZ]

Anyone that uses Magento eCommerce software could be affected, that's a lot of sites.

Hmmm damn man you making me have to do a security analysis arggg ..

Thaks

 

[Teresa P]

Well, I got wise and got the Wallet card myself. What I can't pay with PayPal goes on the Wallet card.

 

[Vlad1]

Anyone that uses Magento eCommerce software could be affected, that's a lot of sites.

That part confused me a bit as they later stated they use Amazon. IDK if Amazon Web Services run Magento or if that's only their portal for transactions and is separate. If it's separate portal then that's just another piece with potential problems as AWS appears to have their own security issues.

But as I stated on ECF if their software was injected with malicious code they need to identify how that happened to begin with, then fix that so it doesn't happen again. You cant just write to file on a web server and inject code if security measures are in order.

 

[Zamazam]

Amazon provides the Host Cloud, Magento runs on top of it, or on standard eCommece server setups. Quite a few layers that hackers can get into...

 

[Vlad1]

Amazon provides the Host Cloud, Magento runs on top of it, or on standard eCommece server setups. Quite a few layers that hackers can get into...

Makes sense, I think I'd be looking for a more secure eCommerce transaction servers. Seems I heard about similar problems a year or more ago.

 

[VaporJoe]

Notice they won't pony up for the credit monitoring with a data breach.

Why just dump the card and get a new CC number?

 

[Zamazam]

Why just dump the card and get a new CC number?

True, I think a lot of people did that. I use google wallet and only transfer what I need for purchase into the account. Hard for a scammer to charge a new entertainment system on a card with $0 available credit LOL.

 

[barbaraann72]

Is it normal for a company to contacts it's customers 3 months after a data breach? Or is this a follow up to an alert they previously issued?

Sent from my SM-T217T using Tapatalk

 

[Zamazam]

usually normal, after all the lawyers weigh in so they can't get sued. Not a follow up.

 

[skoony]

Well I think it was awfully decent of them to notify you of the breach.
It was really nice they confirmed in their notice that they are in fact
using Magenta as their CC processing software and directing you
to a site showing how the malware worked. We all know this info
Will be most helpful in preventing further incidents.
Mike

 

[Zamazam]

Decent - yes, but a requirement under law and credit card PCI agreements.

 

[skoony]

Decent - yes, but a requirement under law and credit card PCI agreements.

What's required? The notification or a detailed technical explanation or,both?

 

[Zamazam]

The notification.

 

[skoony]

The notification.

What's with the technical explanation? Does Florida have such a requirement?
I am aware a brief explanation is required along with all the info accessed such
as names,addresses however, a detailed how to guide seems a little much.

 

[Jimi]

We will probably be seeing a lot more of this since they started with the cc chip as it makes it a lot harder for these thieves to steal cards or hit you at retail stores like wal-mart etc.

 

[Zamazam]

Not sure about Florida, but the explanation seems to be an ass-cover by lawyers.

 

[skoony]

Not sure about Florida, but the explanation seems to be an ass-cover by lawyers.

A lawyer would require one to show what specific software you use with
a detailed explanation of how you breach it? Who is the lawyer trying to
protect?

 

[Jimi]

I got this email from Vaporshark a little while ago:

SECURITY UPDATE

At Vapor Shark, we understand that in today’s world your personal and private information is more important than ever. In late June of this year, we began receiving mixed data regarding a possible breach of security on our retail website. Despite us not immediately understanding the full scope, extent, or cause of what was happening, we immediately had our developers research the issue and ramp up security measures to ensure data safety and security during our investigation which has now been concluded.

Upon further examination, we discovered malicious code which appeared to have been siphoning credit card information from our retail, customer-facing website on or after June 23rd, 2015. Our wholesale website was not affected.

A Sucuri.net blog from the same date released a notice regarding a recently discovered Magento vulnerability which quietly attaches to your code and makes it virtually undetectable unless you actively seek it out, which we did.
See more info on that blog here.

The malicious code was immediately contained, isolated, and completely removed by July 14th, 2015. To supplement our internal security measures, we enrolled the services of Sucuri.net, a leader in internet commerce security. Our website, which is hosted by Amazon, is scanned by Sucuri.net on a daily basis for viruses, malware, and spyware. If any malicious content is found with Sucuri.net it is immediately flagged, isolated, and removed by the development team. Additionally, our site is also protected from intrusion by Incapsula, the same company and service that secures companies like eHarmony, WIX, Newsweek, SIEMENS and Motley Fool.

If you have reason to believe that you may have been affected, please contact your card issuing bank and inform them. We are working with VISA, MasterCard, and American Express regarding this issue and they will be able to address your concerns adequately.

We sincerely apologize for any inconvenience this may have caused. Vapor Shark takes the safety of your personal and private information very seriously. Our website has been free of malicious code since we discovered and corrected the issue; it is secure, it is safe and it is being monitored on a 24 hour schedule. You can check the status of our site at anytime going forward by clicking on the Sucuri banner at the top of our home page or by clicking this link.

Thank You,

Vapor Shark

Thanks for posting this Zam they should all be posted so we can keep up

 

[Zamazam]

A lawyer would require one to show what specific software you use with
a detailed explanation of how you breach it? Who is the lawyer trying to
protect?

The deflection is to the eCommerce software, not the company who didn't keep current with security issues surrounding the eCommerce application, see how that works? Point fingers and blame the other guy.

 

[skoony]

The deflection is to the eCommerce software, not the company who didn't keep current with security issues surrounding the eCommerce application, see how that works? Point fingers and blame the other guy.

BS. you do not give a tutorial on how to hack your site via email. that is insane.

 

[Zamazam]

Well, Vaporshark did it. Not my concern anymore....

 

[Mattp169]

when you sign up with a company like magento or big commerce
you do it for a reason
to get easy to use software to make an online store
you assume that they have all the security stuff handled on their end
I mean that is part of what you pay your monthly fees for.

In fact on most ecommerce setups the store owners really have nothing to do with all that stuff, you just log into your account and manage your inventory,prices, and what the pages look like.

So when they say hey its magentos fault, it actually is at least IMHO