Company says it never stored financial data on its systems

Jun 5, 2015 14:35 GMT  ·  By

Hackers compromising the servers of AeroGrow International were able to steal payment card information for a period of five months, even if the company did not have the data stored on any of its systems.

Although not saving customer information on the computer infrastructure makes the process of placing an order longer, it is a highly recommended security stance.

Crooks pilfer all data necessary for fraudulent online purchases

AeroGrow, maker of soil-free indoor gardens, says that it never maintained payment info belonging to its customers, but it learned on May 5 that this data seeped into the hands of unknown attackers during the period between October 15, 2014, and April 27, 2015.

The cybercriminals managed to compromise the servers and planted malware that intercepted the details of an order before it was sent to the payment card processing organization.

Basically, a copy of the card number, expiration date, cardholder name and the security code authorizing online purchases (card code verification - CCV, or card verification value - CVV) was delivered to the crooks.

AeroGrow offers free identity protection service

It is unclear how the intrusion occurred, but the shop relies on Magento eCommerce software to handle online orders. The application was affected by multiple vulnerabilities since mid-2014, some of them being present even six months after responsible disclosure from security researchers.

One of them, reported in April 2014 by AppCheck and earlier by others, allowed hijacking user sessions via a DOM-based XSS bug, which could be passed via a specially crafted link or a form post on the website.

Even if a patch for Magento is offered, it usually takes a lot of time before website administrators apply it. One example is Shoplift, a nasty set of vulnerabilities discovered by researchers at Check Point and patched on February 9.

Almost three months later, and with exploits found in the wild, at least 75,000 Magento shops did not have the updated version, exposing themselves to attacks that allowed a threat actor to steal financial info.

AeroGrow recommends customers to report any suspicious card activity to the issuing bank. Apart from this, impacted individuals will receive identity protection services, free of charge, informs company CEO Michael Wolfe in a letter disclosing the incident.

The piece of malware has been removed from AeroGrow's computer systems and shopping online is now safe, the company says.